Use BYOK for Activity Log Storage Container Encryption

01 Sign in to Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview.

03 In the navigation panel, select Activity log to access the activity log available in your Azure cloud account.

04 From the Subscription filter box, select the Azure account subscription that you want to examine.

05 On the Activity log page, click Export to Event Hub to access your Azure Log profile configuration settings.

06 On the Export activity log panel, click on the Storage account tab and copy the identifier of the storage container that contains the Azure cloud activity logs, available in the Storage account box.

07 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts and paste the storage account ID copied at step no. 6 into the Filter by name box.

08 Click on the name of the Azure storage account returned by the portal filtering process.

09 In the navigation panel, under Settings, click Encryption to access the encryption configuration page for the selected storage account.

10 On the Encryption page, verify the Use your own key setting configuration. If Use your own key setting checkbox is not checked, the Microsoft Azure storage container that holds your activity log files is encrypted using a service-managed key (default key) instead of a customer-managed key (also known as Bring Your Own Key - BYOK).

11 Repeat steps no. 4 – 10 for each subscription created in your Microsoft Azure cloud account.

01 Run monitor log-profiles list command (Windows/macOS/Linux) using custom query filters to get the ID of the Azure storage account configured to store activity logs within the current Azure subscription:

az monitor log-profiles list
   --query '[*].storageAccountId'

02 The command output should return the ID of the associated Azure storage account:

[
  "abcd1234abcd1234abcd1234"
]

03 Run storage account show command (Windows/macOS/Linux) using the ID of the storage account returned at the previous step as identifier parameter and custom query filters to expose the type of the encryption key used by Azure Transparent Data Encryption (TDE) for the selected storage account:

az storage account show
	--name abcd1234abcd1234abcd1234
	--query 'encryption.keySource'

04 The command output should return the type of the encryption key used for the selected Azure storage account ("Microsoft.Storage" for a service-managed key or "Microsoft.Keyvault" for a customer-managed key – BYOK):

"Microsoft.Storage"

05 Repeat steps no. 1 – 4 for each subscription available in your Microsoft Azure cloud account.

01 Sign in to Azure Management Console.

02 Navigate to Azure Storage accounts blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2FStorageAccounts.

03 Click on the name of the storage account associated with your Azure Log Profile (see Audit section part I to identify the right account).

04 In the navigation panel, under Settings, click Encryption to access the encryption configuration page for the selected storage account.

05 On the Encryption page, perform the following actions:

1. Select Use your own key checkbox to initiate the customer-managed key configuration process.
2. Under Encryption key, choose Enter key URI and just provide the customer-managed key URI in the Key URI box or choose Select from Key Vault option to select the encryption key from an Azure Key Vault and continue with the configuration process with the next steps.
3. Click on the Key Vault link and select the encryption key vault that holds the customer-managed key.
4. Click on the Encryption key link and select an existing customer-managed key (BYOK) that you want to use as TDE protector for the selected Azure storage account. If you need to create a new encryption key, click on the Create a new key button and use the default configuration settings provided by Microsoft Azure to create a new customer-managed key.
5. Click Save to apply the new encryption configuration changes.

06 Repeat steps no. 3 – 5 for each subscription created in your Microsoft Azure cloud account.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

01 Run keyvault create command (Windows/macOS/Linux) to create the necessary Microsoft Azure Key Vault that will store the new customer-managed encryption key (BYOK):

az keyvault create
	--name cc-byok-key-vault
	--resource-group cloud-shell-storage-westeurope
	--location westeurope
	--enable-soft-delete true
	--enable-purge-protection true

02 The command output should return the configuration metadata for the newly created Azure Key Vault:

{
  "id": "/subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-byok-key-vault",
  "location": "westeurope",
  "name": "cc-byok-key-vault",
  "properties": {
    "createMode": null,
    "enablePurgeProtection": true,
    "enableSoftDelete": true,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": null,

    ...

    "enabledForTemplateDeployment": null,
    "networkAcls": null,
    "provisioningState": "Succeeded",
    "sku": {
      "name": "standard"
    },
    "vaultUri": "https://cc-byok-key-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

03 Run keyvault key create command (Windows/macOS/Linux) to create a new customer-managed encryption key (also known as Bring Your Own Key – BYOK) within the Azure Key Vault created at the previous step:

az keyvault key create
	--name cc-byok-key
	--vault-name cc-byok-key-vault
	--kty RSA
	--ops encrypt decrypt wrapKey unwrapKey sign verify
	--size 2048

04 The command output should return the metadata for the new customer-managed key:

{
  "attributes": {
    "created": "2019-08-11T16:58:06+00:00",
    "enabled": true,
    "expires": null,
    "notBefore": null,
    "recoveryLevel": "Recoverable",
    "updated": "2019-08-11T16:58:06+00:00"
  },
  "key": {
    "crv": null,
    "d": null,

    ...

    "dp": null,
    "dq": null,
    "e": "AQAB",
    "k": null,
    "p": null,
    "q": null,
    "qi": null,
    "t": null,
    "x": null,
    "y": null
  },
  "managed": null,
  "tags": null
}

05 Run keyvault set-policy command (Windows/macOS/Linux) to update the security policy of the Azure Key Vault created earlier in the process with the appropriate permissions:

az keyvault set-policy
	--name cc-byok-key-vault
	--object-id 1234abcd-1234-abcd-1234-abcd1234abcd
	--key-permissions get wrapkey unwrapkey

06 The command output should return the metadata for the updated Microsoft Azure Key Vault:

{
  "id": "/subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-byok-key-vault",
  "location": "westeurope",
  "name": "cc-byok-key-vault",
  "properties": {
      {
        "applicationId": null,
        "permissions": {
          "certificates": null,
          "keys": [
            "get",
            "wrapKey",
            "unwrapKey"
          ],
          "secrets": null,
          "storage": null
        },
      }
    ],

    ...

    "createMode": null,
    "enablePurgeProtection": true,
    "enableSoftDelete": true,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": null,
    "enabledForTemplateDeployment": null,
    "networkAcls": null,
    "provisioningState": "Succeeded",
    "sku": {
      "name": "standard"
    },
    "vaultUri": "https://cc-byok-key-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

07 Run storage account update command (Windows/macOS/Linux) using the ID of the Azure storage account that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource) to configure Transparent Data Encryption (TDE) feature to use the customer-managed key (Bring Your Own Key - BYOK) created at the previous steps for the selected storage account and all the blob containers available inside the account:

az storage account update
	--name abcd1234abcd1234abcd1234
	--resource-group cloud-shell-storage-westeurope
	--encryption-key-source=Microsoft.Keyvault
	--encryption-key-vault https://cc-byok-key-vault.vault.azure.net/
	--encryption-key-name cc-byok-key
	--encryption-key-version abcdabcd12341234abcdabcd12341234
	--encryption-services blob

08 The command output should return the TDE’s configuration metadata for the selected storage account:

{
  "accessTier": null,
  "azureFilesIdentityBasedAuthentication": null,
  "creationTime": "2019-07-25T08:47:35.787368+00:00",
  "customDomain": null,
  "enableHttpsTrafficOnly": false,
  "encryption": {
    "keySource": "Microsoft.Keyvault",
    "keyVaultProperties": {
      "keyName": "cc-byok-key",
      "keyVaultUri": "https://cc-byok-key-vault.vault.azure.net/",
      "keyVersion": "abcdabcd12341234abcdabcd12341234"
    },
    "services": {
      "blob": {
        "enabled": true,
        "lastEnabledTime": "2019-07-25T08:47:35.927993+00:00"
      },
      "file": {
        "enabled": true,
        "lastEnabledTime": "2019-07-25T08:47:35.927993+00:00"
      }
    }
  },

  ...

  "primaryLocation": "westeurope",
  "provisioningState": "Succeeded",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "secondaryEndpoints": null,
  "secondaryLocation": null,
  "sku": {
    "capabilities": null,
    "kind": null,
    "locations": null,
    "name": "Standard_LRS",
    "resourceType": null,
    "restrictions": null,
    "tier": "Standard"
  },
  "statusOfPrimary": "available",
  "statusOfSecondary": null,
  "tags": {},
  "type": "Microsoft.Storage/storageAccounts"
}

09 Repeat steps no. 1 – 8 for each subscription created within your Microsoft Azure cloud account.