Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Activity Log Storage Encryption with Customer-Managed Key

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Monitor-006

Ensure that your Microsoft Azure activity log storage container is encrypted with a Customer-Managed Key (CMK) in order to protect your activity log data at rest with a key from your own Azure key vault. By default, activity log data is encrypted using Microsoft managed keys. Trend Cloud One™ – Conformity strongly recommends that you use Customer-Managed Keys for encrypting all activity log data stored on Azure storage containers.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

The Customer-Managed Key (CMK) support for the activity log storage container encryption allows user control of the encryption keys and restricts who can access these keys and when. This provides additional confidentiality controls on your activity log data as the user that requires access to this data must have 1) read permission on the corresponding storage account and 2) must be granted decrypt permission by the Customer-Managed Key (CMK). With CMK, the container encryption key is protected by an asymmetric key stored in the Azure Key Vault - a cloud-based external key management system developed by Microsoft Azure. The asymmetric key is set at the storage account level and inherited by all containers created on that storage account.


Audit

To determine if Customer-Managed Keys (CMKs) are used for activity log storage container encryption, perform the following actions:

Note: The following audit and remediation steps use the updated Diagnostic Settings feature in Azure, which replaces the legacy Log Profiles feature. It is recommended to migrate away from using Log Profiles and move towards using Diagnostic Settings. For more information on managing the legacy Log Profiles feature, see here.

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Monitor blade at https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/overview.

03 In the blade navigation panel, under Overview, select Activity log to access the activity log created for your Azure cloud account.

04 Choose Export Activity Logs from the console top menu to navigate to the Azure subscription diagnostic settings. Diagnostic settings are used to configure streaming export of Azure cloud platform logs and metrics for a subscription to the destination of your choice.

05 Select the Azure subscription that you want to examine from the Subscription dropdown list.

06 Choose the diagnostic setting where the log destination is a storage account (i.e. the Storage account column contains the account ID), then choose Edit setting to access the feature settings.

07 In the Destination details section, under Archive to a storage account, copy the ID of the storage account used as log file destination, available in the Storage account dropdown list.

08 Navigate to Azure Storage accounts blade at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts and paste the storage account ID copied at step no. 7 into the Filter for any field… search box.

09 Click on the name (link) of the Azure storage account returned by the filtering process.

10 In the left navigation panel, under Security + networking, choose Encryption to access the encryption configuration available for the selected storage account.

11 Choose the Encryption tab, and check the Encryption type configuration attribute value. If the Encryption type is set to Microsoft-managed keys, the data on the storage container that holds your activity log files is encrypted using a service-managed key (i.e. Microsoft-managed key) instead of a Customer-Managed Key (CMK).

12 Repeat steps no. 5 – 11 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run monitor diagnostic-settings subscription list command (Windows/macOS/Linux) with custom query filters to describe the name of each diagnostic setting created for the selected Azure subscription:

az monitor diagnostic-settings subscription list
  --subscription abcdabcd-1234-abcd-1234-abcd1234abcd
  --query 'value[*].name'

02 The command output should return the diagnostic setting identifier(s):

[
  "cc-log-diagnostic-setting"
]

03 Run monitor diagnostic-settings subscription show command (Windows/macOS/Linux) using the name of the diagnostic setting that you want to examine as the identifier parameter and custom query filters to get the ID of the Azure storage account configured to store activity logs within the selected subscription:

az monitor diagnostic-settings subscription show
  --name "cc-log-diagnostic-setting"
  --query 'storageAccountId'

04 The command output should return the full ID of the associated storage account (the ID contains the storage account name):

"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/abcd1234abcdabcd1234abcd"

05 Run storage account show command (Windows/macOS/Linux) using the ID of the storage account returned at the previous step as the identifier parameter and custom query filters to describe the type of the encryption key used by the selected storage account:

az storage account show
  --name abcd1234abcdabcd1234abcd
  --query 'encryption.keySource'

06 The command output should return the type of the encryption key used for the selected storage account ("Microsoft.Storage" for the service-managed key or "Microsoft.Keyvault" for the Customer-Managed Key - CMK):

"Microsoft.Storage"

If the storage account show command output returns "Microsoft.Storage", as shown in the output example above, the storage container that contains your activity log files is encrypted using a service-managed key (i.e. Microsoft-managed key) instead of a Customer-Managed Key (CMK).

07 Repeat steps no. 1 – 6 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To encrypt your exported activity log data using your own Customer-Managed Key (CMK), perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Create the required user-assigned identity. The user-assigned identity must have access to the Azure Key Vault used for the storage container encryption. Navigate to Managed Identities blade at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.ManagedIdentity%2FuserAssignedIdentities, choose Create managed identity, and perform the following operations:

  1. For Basics, select the appropriate subscription, resource group, and region, then provide a unique name for your new user-assigned identity in the Name box. Choose Next : Tags > to continue.
  2. For Tags, define any necessary tag sets for your user-assigned identity, then choose Next : Review + create > to continue.
  3. For Review + create, review the resource configuration details, then choose Create to deploy your new Azure user-assigned identity.

03 Navigate to Key vaults blade at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults.

04 Click on the name (link) of the Azure Key Vault that you want to configure.

05 In the resource navigation panel, select Access policies to access the policies associated with the selected key vault.

06 Choose Create and perform the following actions:

  1. For Permissions, choose Get, Wrap Key, and Unwrap Key. Choose Next to continue.
  2. For Principal, select the user-assigned identity created at step no. 2. Choose Next to continue.
  3. For Review + create, review the configuration details, then choose Create to create your new key vault access policy

07 Navigate to Storage accounts blade at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts.

08 Click on the name (link) of the storage account that contains your activity log files.

09 In the left navigation panel, under Security + networking, choose Encryption to access the encryption configuration available for the selected storage account.

10 Choose the Encryption tab and perform the following operations:

  1. For Encryption type select Customer-managed keys. When Customer-Managed Keys are enabled, the selected storage account is granted access to the selected key vault.
  2. For Encryption key, perform one of the following actions:
    • Choose Select from key vault to select the encryption key from an Azure Key Vault. For Key vault and key, choose Select a key vault and key, choose an existing key vault and encryption key or create and configure new ones. Choose Select to select the key vault and the encryption key to use.
    • Choose Enter key URI and provide the URI of your Customer-Managed Key in the Key URI box.
  3. For Identity type, select User-assigned, choose Select an identity, and add the Azure user-assigned identity created at step no. 2.
  4. Choose Save to apply the encryption changes. The activity log data will be encrypted using your own Customer-Managed Key (CMK).

11 Repeat steps no. 2 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault create command (Windows/macOS/Linux) to create the Azure Key Vault that will store the new Customer-Managed Key (CMK):

az keyvault create
  --name cc-log-data-key-vault
  --resource-group cloud-shell-storage-westeurope
  --location westeurope

02 The command output should return the configuration information available for the newly created Azure Key Vault:

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-log-data-key-vault",
  "location": "westeurope",
  "name": "cc-log-data-key-vault",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
        "permissions": {
          "certificates": [
            "all"
          ],
          "keys": [
            "all"
          ],
          "secrets": [
            "all"
          ],
          "storage": [
            "all"
          ]
        },
        "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": null,
    "enableRbacAuthorization": null,
    "enableSoftDelete": true,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": null,
    "enabledForTemplateDeployment": null,
    "hsmPoolResourceId": null,
    "networkAcls": null,
    "privateEndpointConnections": null,
    "provisioningState": "Succeeded",
    "publicNetworkAccess": "Enabled",
    "sku": {
      "family": "A",
      "name": "standard"
    },
    "softDeleteRetentionInDays": 90,
    "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
    "vaultUri": "https://cc-log-data-key-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "systemData": {
    "createdAt": "2022-08-11T15:24:31.689000+00:00",
    "createdBy": "user@domain.com",
    "createdByType": "User",
    "lastModifiedAt": "2022-08-11T15:24:31.689000+00:00",
    "lastModifiedBy": "user@domain.com",
    "lastModifiedByType": "User"
  },
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

03 Run keyvault key create command (Windows/macOS/Linux) to create a new Customer-Managed Key (CMK) within the Azure Key Vault created at the previous step:

az keyvault key create
  --name cc-log-data-key
  --vault-name cc-log-data-key-vault
  --kty RSA
  --ops encrypt decrypt wrapKey unwrapKey sign verify
  --size 2048

04 The command output should return the configuration information for the new CMK:

{
  "attributes": {
    "created": "2022-08-11T15:26:54+00:00",
    "enabled": true,
    "expires": null,
    "exportable": false,
    "notBefore": null,
    "recoverableDays": 90,
    "recoveryLevel": "Recoverable+Purgeable",
    "updated": "2022-08-11T15:26:54+00:00"
  },
  "key": {
    "crv": null,
    "d": null,
    "dp": null,
    "dq": null,
    "e": "AQAB",
    "k": null,
    "keyOps": [
      "encrypt",
      "decrypt",
      "wrapKey",
      "unwrapKey",
      "sign",
      "verify"
    ],
    "kid": "https://cc-log-data-key-vault.vault.azure.net/keys/cc-log-data-key/abcdabcd1234abcd1234abcd1234abcd",
    "kty": "RSA",
    "n": "...",
    "p": null,
    "q": null,
    "qi": null,
    "t": null,
    "x": null,
    "y": null
  },
  "managed": null,
  "releasePolicy": null,
  "tags": null
}

05 Run keyvault set-policy command (Windows/macOS/Linux) to update the security policy of the Azure Key Vault created earlier in the process with the appropriate permissions:

az keyvault set-policy
  --name cc-log-data-key
  --object-id 1234abcd-1234-abcd-1234-abcd1234abcd
  --key-permissions get wrapkey unwrapkey

06 The command output should return the information available for the reconfigured key vault:

{
  "id": "/subscriptions/abcdabcd-abcd-abcd-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-log-data-key-vault",
  "location": "westeurope",
  "name": "cc-log-data-key-vault",
  "properties": {
      {
        "applicationId": null,
        "permissions": {
          "certificates": null,
          "keys": [
            "get",
            "wrapKey",
            "unwrapKey"
          ],
          "secrets": null,
          "storage": null
        },
      }
    ],

    ...

    "createMode": null,
    "enablePurgeProtection": true,
    "enableSoftDelete": true,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": null,
    "enabledForTemplateDeployment": null,
    "networkAcls": null,
    "provisioningState": "Succeeded",
    "sku": {
      "name": "standard"
    },
    "vaultUri": "https://cc-log-data-key-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

07 Run storage account update command (Windows/macOS/Linux) using the ID of the Azure Storage account that you want to reconfigure as the identifier parameter, to configure encryption at rest with the Customer-Managed Key (CMK) created at the previous steps for the selected storage account and all the data containers created inside the storage account:

az storage account update
  --name abcd1234abcdabcd1234abcd
  --resource-group cloud-shell-storage-westeurope
  --encryption-key-source=Microsoft.Keyvault
  --encryption-key-vault https://cc-log-data-key-vault.vault.azure.net/
  --encryption-key-name cc-log-data-key
  --encryption-key-version abcdabcd12341234abcdabcd12341234
  --encryption-services blob

08 The command output should return the configuration information available for the modified storage account:

{
  "accessTier": null,
  "azureFilesIdentityBasedAuthentication": null,
  "creationTime": "2022-08-11T15:26:54+00:00",
  "customDomain": null,
  "enableHttpsTrafficOnly": false,
  "encryption": {
    "keySource": "Microsoft.Keyvault",
    "keyVaultProperties": {
      "keyName": "cc-log-data-key",
      "keyVaultUri": "https://cc-log-data-key-vault.vault.azure.net/",
      "keyVersion": "abcdabcd12341234abcdabcd12341234"
    },
    "services": {
      "blob": {
        "enabled": true,
        "lastEnabledTime": "2022-08-11T15:26:54+00:00"
      },
      "file": {
        "enabled": true,
        "lastEnabledTime": "2022-08-11T15:26:54+00:00"
      }
    }
  },

  ...

  "primaryLocation": "westeurope",
  "provisioningState": "Succeeded",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "secondaryEndpoints": null,
  "secondaryLocation": null,
  "sku": {
    "capabilities": null,
    "kind": null,
    "locations": null,
    "name": "Standard_LRS",
    "resourceType": null,
    "restrictions": null,
    "tier": "Standard"
  },
  "statusOfPrimary": "available",
  "statusOfSecondary": null,
  "tags": {},
  "type": "Microsoft.Storage/storageAccounts"
}

09 Repeat steps no. 1 – 8 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Aug 16, 2019