Azure Introduction
Azure Pricing
Azure Threats
Storage Account Encryption using Customer Managed Keys
More Info:
Ensure that your Microsoft Azure Storage accounts are using Customer Managed Keys (CMKs) instead of Microsoft Managed Keys
Risk Level
High
Address
Security
Compliance Standards
HIPAA, HITRUST, GDPR, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the Storage Account Encryption misconfiguration using Customer Managed Keys in Azure:
- Login to Azure Portal (https://portal.azure.com/)
- Navigate to the Storage Account for which you want to enable encryption using Customer Managed Keys.
- Click on the ‘Encryption’ option under the ‘Settings’ section in the left-hand side menu.
- Under the ‘Encryption’ tab, select the ‘Customer-managed key’ option.
- Click on the ‘Select’ button to choose an existing Key Vault or create a new one.
- If you want to create a new Key Vault, click on the ‘Create new’ button and provide the required details.
- Once you have selected the Key Vault, select the key that you want to use for encryption.
- Click on the ‘Save’ button to save the changes.
That’s it! The Storage Account Encryption using Customer Managed Keys misconfiguration has been remediated successfully. Now your storage account data will be encrypted using the customer-managed keys stored in the Key Vault.
To remediate the storage account encryption misconfiguration using Customer Managed Keys in Azure using Azure CLI, follow these steps:
-
Open the Azure CLI in your terminal or command prompt.
-
Login to your Azure account using the following command:
az login -
Set the subscription where the storage account is located using the following command:
az account set --subscription <subscription_id>Replace
<subscription_id>with the ID of your subscription. -
Get the resource group name and the name of the storage account that needs to be remediated.
-
Check if Customer Managed Keys are available in the Key Vault using the following command:
az keyvault key list --vault-name <key_vault_name>Replace
<key_vault_name>with the name of your Key Vault. -
Create a new key in the Key Vault if it is not available using the following command:
az keyvault key create --vault-name <key_vault_name> --name <key_name> --kty RSAReplace
<key_vault_name>with the name of your Key Vault and<key_name>with the name of the key you want to create. -
Get the key identifier using the following command:
az keyvault key show --vault-name <key_vault_name> --name <key_name> --query "key.kid" -o tsvReplace
<key_vault_name>with the name of your Key Vault and<key_name>with the name of the key you created. -
Set the storage account encryption using the Customer Managed Key using the following command:
az storage account update --name <storage_account_name> --resource-group <resource_group_name> --encryption-services blob --encryption-key-name <key_name> --encryption-key-vault <key_vault_url>Replace
<storage_account_name>with the name of your storage account,<resource_group_name>with the name of your resource group,<key_name>with the name of the key you created, and<key_vault_url>with the URL of your Key Vault. -
Verify that the storage account encryption using Customer Managed Keys is enabled using the following command:
az storage account show --name <storage_account_name> --resource-group <resource_group_name> --query "encryption.services.blob.enabled"Replace
<storage_account_name>with the name of your storage account and<resource_group_name>with the name of your resource group.
Once these steps are completed, the storage account encryption using Customer Managed Keys will be properly configured in Azure.
To remediate the misconfiguration of Storage Account Encryption using Customer Managed Keys in AZURE using python, you can follow the below steps:
-
First, you need to ensure that you have a valid Customer Managed Key available in your Key Vault. If not, you can create one using the Azure Portal or Azure CLI.
-
Next, you need to get the details of the Storage Account that needs to be remediated. You can use the Azure SDK for Python to get the details of the Storage Account.
-
Once you have the details of the Storage Account, you need to ensure that the encryption is enabled and set to use the Customer Managed Key. You can use the Azure SDK for Python to enable encryption and set the Customer Managed Key.
Here’s some sample Python code to remediate the misconfiguration:
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient
from azure.mgmt.storage import StorageManagementClient
from azure.mgmt.storage.models import StorageAccountUpdateParameters
from azure.mgmt.storage.models import Encryption
from azure.mgmt.storage.models import EncryptionService
from azure.mgmt.storage.models import EncryptionServiceType
from azure.mgmt.storage.models import KeyVaultProperties
from azure.mgmt.storage.models import KeyVaultPropertiesKeyToEncrypt
# Set the subscription ID, resource group name, and storage account name
subscription_id = 'your-subscription-id'
resource_group_name = 'your-resource-group-name'
storage_account_name = 'your-storage-account-name'
# Set the Key Vault details
key_vault_uri = 'https://your-key-vault-name.vault.azure.net/'
key_name = 'your-customer-managed-key-name'
key_version = 'your-customer-managed-key-version'
# Create the Azure SDK clients
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url=key_vault_uri, credential=credential)
storage_client = StorageManagementClient(credential, subscription_id)
# Get the Storage Account details
storage_account = storage_client.storage_accounts.get_properties(resource_group_name, storage_account_name)
# Enable encryption using Customer Managed Key
encryption_service = EncryptionService(type=EncryptionServiceType.blob, enabled=True)
key_vault_properties = KeyVaultProperties(key_name=key_name, key_version=key_version)
key_vault_properties_key_to_encrypt = KeyVaultPropertiesKeyToEncrypt(key_vault_properties=key_vault_properties)
encryption = Encryption(services=[encryption_service], key_vault_properties=key_vault_properties_key_to_encrypt)
# Update the Storage Account with encryption settings
update_parameters = StorageAccountUpdateParameters(encryption=encryption)
storage_client.storage_accounts.update(resource_group_name, storage_account_name, update_parameters)
This code will enable encryption using the specified Customer Managed Key for the specified Storage Account.