Storage Accounts that include activity logs should be encrypted with Customer Managed Keys¶
Description¶
Although Storage Accounts are encrypted by default with Microsoft-managed keys, activity logs represent sensitive data that warrant additional control for security purposes. Customer-managed keys enable users to choose when to rotate their keys per compliance and security requirements, and provide users with a means to prevent Azure from accessing their data by disabling keys.
Remediation Steps¶
Azure Portal¶
Navigate to Storage Accounts.
For each storage account, go to Encryption.
Set Encryption type to Customer-managed keys.
Use option Select from key vault or Enter key URI to set up encryption with your own key.
Click Save.
Azure CLI¶
To encrypt a storage account with a customer-managed key:
az storage account update --name <storage account name> --resource-group <resource group name> --encryption-key-source=Microsoft.Keyvault --encryption-key-vault <Key Vault URI> --encryption-key-name <KeyName> --encryption-key-version <Key Version>