More Info:

Configuring the storage account with the activity log export container to use BYOK (Use Your Own Key) provides additional confidentiality controls on log data as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.

Risk Level

Low

Address

Security, Operational Maturity

Compliance Standards

ISO27001, NIST, SOC2, HIPAA, CISAZURE, CBP

Triage and Remediation

Remediation

To remediate the misconfiguration “Ensure Storage Account container containing the logs is encrypted with BYOK” for Azure using the Azure console, follow the below steps:

  1. Login to the Azure portal (https://portal.azure.com/).
  2. Navigate to the Storage account that is being used to store the logs.
  3. Click on the “Containers” option under the “Blob service” section in the left-hand menu.
  4. Select the container that contains the logs.
  5. Click on the “Encryption” option in the left-hand menu.
  6. Select the “Customer-managed key” option.
  7. Select the key that you want to use for encryption from the dropdown list.
  8. Click on the “Save” button to apply the changes.

By following these steps, you will ensure that the Storage Account container containing the logs is encrypted with BYOK in Azure.

Additional Reading: