Ensure that your Microsoft Azure activity log storage container is encrypted with BYOK (Bring Your Own Key) in order to protect your activity log data at rest with a key from your own Azure key vault. By default, activity log data is encrypted using Microsoft managed keys. Cloud Conformity strongly recommends that you bring your own key for encrypting all activity log data stored on Azure storage blob containers.
Bring Your Own Key (BYOK) support for the activity log storage container encryption allows user control of the encryption keys and restricts who can access these keys and when. This provides additional confidentiality controls on your activity log data as the user that requires access to this data must have 1) read permission on the corresponding storage account and 2) must be granted decrypt permission by the customer-managed key (BYOK). With BYOK, the container encryption key is protected by an asymmetric key stored in the Azure Key Vault - a cloud-based external key management system developed by Microsoft Azure. The asymmetric key is set at the storage account level and inherited by all containers created on that storage account.
To determine if BYOK is used for your Azure activity log storage container encryption, perform the following actions:
Remediation / Resolution
To configure Microsoft Azure Transparent Data Encryption (TDE) feature to encrypt your exported Azure activity log data using your own customer-managed key (BYOK), perform the following actions:Note: After enabling encryption at rest with BYOK, only new log data will be encrypted. Any existing files in the selected storage account will retroactively get encrypted by a background encryption process.
- Azure Official Documentation
- Azure Storage encryption for data at rest
- Overview of Azure Activity log
- Manage anonymous read access to containers and blobs
- CIS Microsoft Azure Foundations
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Use BYOK for Activity Log Storage Container Encryption
Risk level: Medium