Skip to main content

Remediation

From Azure Portal

Go to Monitor.
Select Activity log.
Select Export Activity Logs.
Select a Subscription.
Note the name of the Storage Account for the diagnostic setting.
Navigate to Storage accounts.
Click on the storage account.
Under Security + networking, click Encryption.
Next to Encryption type, select Customer-managed keys.
Complete the steps to configure a customer-managed key for encryption of the storage account.

From Azure CLI

az storage account update \
    --name {{storage-account-name}} \
    --resource-group {{resource-group-name}} \
    --encryption-key-source=Microsoft.Keyvault \
    --encryption-key-vault {{key-vault-uri}} \
    --encryption-key-name {{key-name}} \
    --encryption-key-version {{key-version}}

From PowerShell

Set-AzStorageAccount `
    -ResourceGroupName {{resource-group-name}} `
    -Name {{storage-account-name}} `
    -KeyvaultEncryption `
    -KeyVaultUri {{key-vault-uri}} `
    -KeyName {{key-name}}

From Azure Portal
From Azure CLI
From PowerShell