Skip to main content

More Info:

Enable Storage Blob Encryption recommendations for virtual machines.

Risk Level

Low

Address

Security, Operational Maturity

Compliance Standards

ISO27001, HIPAA

Triage and Remediation

  • Remediation

Remediation

Using Console

To remediate the “Monitor Storage Blob Encryption setting is not enabled” misconfiguration in Azure using the Azure console, follow the below steps:
  1. Log in to the Azure portal (https://portal.azure.com/).
  2. Navigate to the “Storage accounts” service.
  3. Select the storage account that you want to remediate.
  4. In the left-hand menu, click on “Encryption” under the “Security + networking” section.
  5. In the “Encryption” blade, ensure that the “Storage Service Encryption” toggle is set to “On”.
  6. Scroll down to the “Advanced” section and ensure that the “Monitor Storage Blob Encryption setting” toggle is also set to “On”.
  7. Click “Save” to apply the changes.
By following the above steps, you have successfully remediated the “Monitor Storage Blob Encryption setting is not enabled” misconfiguration in Azure using the Azure console.

To remediate the “Monitor Storage Blob Encryption setting is not enabled” misconfiguration in AZURE using AZURE CLI, follow these steps:
  1. Open the AZURE CLI on your local machine or in the AZURE portal.
  2. Log in to AZURE using the command “az login”.
  3. Check if you have the necessary permissions to remediate this misconfiguration by running the command “az role assignment list —assignee <your email address or object ID>”. If you don’t have the necessary permissions, contact your administrator.
  4. Enable the “Monitor Storage Blob Encryption” setting using the command “az monitor diagnostic-settings create”. Here is an example command: 
az monitor diagnostic-settings create --resource /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName} --name BlobEncryptionDiagnosticSetting --logs '[{"category": "StorageRead"}]' --metrics '[{"category": "Capacity"}]' --workspace /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName} --storage-account {storageAccountName} --encryption-scope {encryptionScopeName} --enabled true
Note: Replace the placeholders <subscriptionId>, <resourceGroupName>, <storageAccountName>, <workspaceName>, and <encryptionScopeName> with the correct values for your environment.
  1. Verify that the “Monitor Storage Blob Encryption” setting is enabled by running the command “az monitor diagnostic-settings show”. Here is an example command:
az monitor diagnostic-settings show --resource /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName} --name BlobEncryptionDiagnosticSetting
If the output shows that the setting is enabled, then the misconfiguration has been remediated successfully.
To remediate the “Monitor Storage Blob Encryption setting is not enabled” misconfiguration in Azure using Python, you can follow the below steps:
  1. Import the required libraries:
from azure.identity import DefaultAzureCredential
from azure.mgmt.monitor import MonitorManagementClient
from azure.mgmt.storage import StorageManagementClient
from azure.mgmt.storage.models import StorageAccountUpdateParameters
  1. Authenticate and create the clients:
credential = DefaultAzureCredential()
monitor_client = MonitorManagementClient(credential, subscription_id)
storage_client = StorageManagementClient(credential, subscription_id)
  1. Get the list of storage accounts:
storage_accounts = storage_client.storage_accounts.list()
  1. Loop through the storage accounts and check if the “Monitor Storage Blob Encryption” setting is enabled:
for account in storage_accounts:
    account_name = account.name
    resource_group_name = account.id.split('/')[4]
    account_properties = storage_client.storage_accounts.get_properties(resource_group_name, account_name)
    encryption_enabled = account_properties.encryption.services.blob.enabled
    if not encryption_enabled:
        # enable the encryption
  1. If the “Monitor Storage Blob Encryption” setting is not enabled, update the storage account to enable it:
        account_properties.encryption.services.blob.enabled = True
        update_parameters = StorageAccountUpdateParameters(encryption=account_properties.encryption)
        storage_client.storage_accounts.update(resource_group_name, account_name, update_parameters)
  1. Once the setting is enabled, you can also create an alert to monitor it:
        monitor_client.alert_rules.create_or_update(
            resource_group_name,
            f"{account_name}-blob-encryption-alert",
            {
                "location": account.location,
                "enabled": True,
                "condition": {
                    "allOf": [
                        {
                            "field": "type",
                            "equals": "Microsoft.Storage/storageAccounts/blobServices"
                        },
                        {
                            "field": "Microsoft.Storage/storageAccounts/blobServices/encryption.services.blob.enabled",
                            "equals": False
                        }
                    ]
                },
                "actions": {
                    "severity": "2",
                    "sendToServiceOwners": True
                }
            }
        )
By following these steps, you can remediate the “Monitor Storage Blob Encryption setting is not enabled” misconfiguration in Azure using Python.