|   Trend Micro Cloud One™
Open menu

Use BYOK for Activity Log Storage Container Encryption

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 04 February 2020
Risk level: Medium (should be achieved)

Ensure that your Microsoft Azure activity log storage container is encrypted with BYOK (Bring Your Own Key) in order to protect your activity log data at rest with a key from your own Azure key vault. By default, activity log data is encrypted using Microsoft managed keys. Cloud Conformity strongly recommends that you bring your own key for encrypting all activity log data stored on Azure storage blob containers.

Security

Bring Your Own Key (BYOK) support for the activity log storage container encryption allows user control of the encryption keys and restricts who can access these keys and when. This provides additional confidentiality controls on your activity log data as the user that requires access to this data must have 1) read permission on the corresponding storage account and 2) must be granted decrypt permission by the customer-managed key (BYOK). With BYOK, the container encryption key is protected by an asymmetric key stored in the Azure Key Vault - a cloud-based external key management system developed by Microsoft Azure. The asymmetric key is set at the storage account level and inherited by all containers created on that storage account.

Audit

To determine if BYOK is used for your Azure activity log storage container encryption, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.

03 In the navigation panel, select Activity log to access the activity log available in your Azure cloud account.

04 From the Subscription filter box, select the Azure account subscription that you want to examine.

05 On the Activity log page, click Export to Event Hub to access your Azure Log profile configuration settings.

06 On the Export activity log panel, click on the Storage account tab and copy the identifier of the storage container that contains the Azure cloud activity logs, available in the Storage account box.

07 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts and paste the storage account ID copied at step no. 6 into the Filter by name box.

08 Click on the name of the Azure storage account returned by the portal filtering process.

09 In the navigation panel, under Settings, click Encryption to access the encryption configuration page for the selected storage account.

10 On the Encryption page, verify the Use your own key setting configuration. If Use your own key setting checkbox is not checked, the Microsoft Azure storage container that holds your activity log files is encrypted using a service-managed key (default key) instead of a customer-managed key (also known as Bring Your Own Key - BYOK).

11 Repeat steps no. 4 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run monitor log-profiles list command (Windows/macOS/Linux) using custom query filters to get the ID of the Azure storage account configured to store activity logs within the current Azure subscription:

az monitor log-profiles list
   --query '[*].storageAccountId'

02 The command output should return the ID of the associated Azure storage account:

[
  "abcd1234abcd1234abcd1234"
]

03 Run storage account show command (Windows/macOS/Linux) using the ID of the storage account returned at the previous step as identifier parameter and custom query filters to expose the type of the encryption key used by Azure Transparent Data Encryption (TDE) for the selected storage account:

az storage account show
	--name abcd1234abcd1234abcd1234
	--query 'encryption.keySource'

04 The command output should return the type of the encryption key used for the selected Azure storage account ("Microsoft.Storage" for a service-managed key or "Microsoft.Keyvault" for a customer-managed key – BYOK):

"Microsoft.Storage"

If the storage account show command output returns "Microsoft.Storage", as shown in the example above, the Microsoft Azure storage container that contains your activity log files is encrypted using a service-managed key instead of a customer-managed key (i.e. Bring Your Own Key – BYOK).

05 Repeat steps no. 1 – 4 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To configure Microsoft Azure Transparent Data Encryption (TDE) feature to encrypt your exported Azure activity log data using your own customer-managed key (BYOK), perform the following actions:

Note: After enabling encryption at rest with BYOK, only new log data will be encrypted. Any existing files in the selected storage account will retroactively get encrypted by a background encryption process.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name of the storage account associated with your Azure Log Profile (see Audit section part I to identify the right account).

04 In the navigation panel, under Settings, click Encryption to access the encryption configuration page for the selected storage account.

05 On the Encryption page, perform the following actions:

  1. Select Use your own key checkbox to initiate the customer-managed key configuration process.
  2. Under Encryption key, choose Enter key URI and just provide the customer-managed key URI in the Key URI box or choose Select from Key Vault option to select the encryption key from an Azure Key Vault and continue with the configuration process with the next steps.
  3. Click on the Key Vault link and select the encryption key vault that holds the customer-managed key.
  4. Click on the Encryption key link and select an existing customer-managed key (BYOK) that you want to use as TDE protector for the selected Azure storage account. If you need to create a new encryption key, click on the Create a new key button and use the default configuration settings provided by Microsoft Azure to create a new customer-managed key.
  5. Click Save to apply the new encryption configuration changes.

06 Repeat steps no. 3 – 5 for each subscription created in your Microsoft Azure cloud account.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault create command (Windows/macOS/Linux) to create the necessary Microsoft Azure Key Vault that will store the new customer-managed encryption key (BYOK):

az keyvault create
	--name cc-byok-key-vault
	--resource-group cloud-shell-storage-westeurope
	--location westeurope
	--enable-soft-delete true
	--enable-purge-protection true

02 The command output should return the configuration metadata for the newly created Azure Key Vault:

{
  "id": "/subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-byok-key-vault",
  "location": "westeurope",
  "name": "cc-byok-key-vault",
  "properties": {
    "createMode": null,
    "enablePurgeProtection": true,
    "enableSoftDelete": true,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": null,
 
    ...
 
    "enabledForTemplateDeployment": null,
    "networkAcls": null,
    "provisioningState": "Succeeded",
    "sku": {
      "name": "standard"
    },
    "vaultUri": "https://cc-byok-key-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

03 Run keyvault key create command (Windows/macOS/Linux) to create a new customer-managed encryption key (also known as Bring Your Own Key – BYOK) within the Azure Key Vault created at the previous step:

az keyvault key create
	--name cc-byok-key
	--vault-name cc-byok-key-vault
	--kty RSA
	--ops encrypt decrypt wrapKey unwrapKey sign verify
	--size 2048

04 The command output should return the metadata for the new customer-managed key:

{
  "attributes": {
    "created": "2019-08-11T16:58:06+00:00",
    "enabled": true,
    "expires": null,
    "notBefore": null,
    "recoveryLevel": "Recoverable",
    "updated": "2019-08-11T16:58:06+00:00"
  },
  "key": {
    "crv": null,
    "d": null,
 
    ...
 
    "dp": null,
    "dq": null,
    "e": "AQAB",
    "k": null,
    "p": null,
    "q": null,
    "qi": null,
    "t": null,
    "x": null,
    "y": null
  },
  "managed": null,
  "tags": null
}

05 Run keyvault set-policy command (Windows/macOS/Linux) to update the security policy of the Azure Key Vault created earlier in the process with the appropriate permissions:

az keyvault set-policy
	--name cc-byok-key-vault
	--object-id 1234abcd-1234-abcd-1234-abcd1234abcd
	--key-permissions get wrapkey unwrapkey

06 The command output should return the metadata for the updated Microsoft Azure Key Vault:

{
  "id": "/subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-byok-key-vault",
  "location": "westeurope",
  "name": "cc-byok-key-vault",
  "properties": {
      {
        "applicationId": null,
        "permissions": {
          "certificates": null,
          "keys": [
            "get",
            "wrapKey",
            "unwrapKey"
          ],
          "secrets": null,
          "storage": null
        },
      }
    ],
 
    ...
 
    "createMode": null,
    "enablePurgeProtection": true,
    "enableSoftDelete": true,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": null,
    "enabledForTemplateDeployment": null,
    "networkAcls": null,
    "provisioningState": "Succeeded",
    "sku": {
      "name": "standard"
    },
    "vaultUri": "https://cc-byok-key-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

07 Run storage account update command (Windows/macOS/Linux) using the ID of the Azure storage account that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource) to configure Transparent Data Encryption (TDE) feature to use the customer-managed key (Bring Your Own Key - BYOK) created at the previous steps for the selected storage account and all the blob containers available inside the account:

az storage account update
	--name abcd1234abcd1234abcd1234
	--resource-group cloud-shell-storage-westeurope
	--encryption-key-source=Microsoft.Keyvault
	--encryption-key-vault https://cc-byok-key-vault.vault.azure.net/
	--encryption-key-name cc-byok-key
	--encryption-key-version abcdabcd12341234abcdabcd12341234
	--encryption-services blob

08 The command output should return the TDE’s configuration metadata for the selected storage account:

{
  "accessTier": null,
  "azureFilesIdentityBasedAuthentication": null,
  "creationTime": "2019-07-25T08:47:35.787368+00:00",
  "customDomain": null,
  "enableHttpsTrafficOnly": false,
  "encryption": {
    "keySource": "Microsoft.Keyvault",
    "keyVaultProperties": {
      "keyName": "cc-byok-key",
      "keyVaultUri": "https://cc-byok-key-vault.vault.azure.net/",
      "keyVersion": "abcdabcd12341234abcdabcd12341234"
    },
    "services": {
      "blob": {
        "enabled": true,
        "lastEnabledTime": "2019-07-25T08:47:35.927993+00:00"
      },
      "file": {
        "enabled": true,
        "lastEnabledTime": "2019-07-25T08:47:35.927993+00:00"
      }
    }
  },
 
  ...
 
  "primaryLocation": "westeurope",
  "provisioningState": "Succeeded",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "secondaryEndpoints": null,
  "secondaryLocation": null,
  "sku": {
    "capabilities": null,
    "kind": null,
    "locations": null,
    "name": "Standard_LRS",
    "resourceType": null,
    "restrictions": null,
    "tier": "Standard"
  },
  "statusOfPrimary": "available",
  "statusOfSecondary": null,
  "tags": {},
  "type": "Microsoft.Storage/storageAccounts"
}

09 Repeat steps no. 1 – 8 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Aug 16, 2019

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Use BYOK for Activity Log Storage Container Encryption

Risk level: Medium