Logo of Trend Micro

Enable Storage Encryption Monitoring

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: SecurityCenter-011

Ensure that "Monitor Storage Blob Encryption" feature is enabled within your Microsoft Azure cloud account so that Azure Security Center can assess storage accounts for encryption at rest. "Monitor Storage Blob Encryption" applies only to Microsoft Azure Storage resources.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

In order to protect your data and to help you meet security and compliance requirements, Azure Security Center recommends that all Azure Storage resources to be encrypted, including blobs, disks, files, queues, tables, and object metadata. Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption and is FIPS 140-2 compliant. With storage encryption monitoring feature turned on, Azure Security Center can determine if encryption at rest is enabled for your Azure Storage resources.

Audit

To determine if storage encryption monitoring is enabled within Azure Security Center, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Security policy to access Policy Management portal.

04 On the Policy Management page, click on the name of the subscription that you want to examine to access the selected subscription configuration settings.

05 On the Security Policy page, click on the ASC Default (subscription: <azure-subscription-id>) policy assignment to access the policy configuration.

06 On the selected policy assignment page, in the PARAMETERS section, check the Monitor storage blob encryption configuration setting. If the setting is set to Disabled, the storage encryption monitoring is not enabled for the Microsoft Azure Storage blob resources available in the current subscription.

07 Repeat steps no. 4 - 6 for each Microsoft Azure subscription available in your account.

Using Azure CLI and PowerShell

01 Run account get-access-token command (Windows/macOS/Linux) using custom query filters to retrieve the "Monitor Storage Blob Encryption" feature status for the current Azure account subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01' | jq 'select(.name=="SecurityCenterBuiltIn")'|jq '.properties.parameters.storageEncryptionMonitoringEffect.value'

02 The command output should return the storage encryption monitoring configuration status: 

"Disabled"

If the command output returns "Disabled", as shown in the example above, the storage encryption monitoring is not enabled for the Azure Storage blob resources provisioned in the selected subscription.

03 Repeat step no. 1 and 2 for each Microsoft Azure subscription available in your account.

Remediation / Resolution

To enable storage encryption monitoring and recommendations for your Microsoft Azure Storage blob resources, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Security policy to access Policy Management portal.

04 On the Policy Management page, click on the name of the subscription that you want to examine to access the selected subscription configuration settings.

05 On the Security Policy page, click on the ASC Default (subscription: <azure-subscription-id>) policy assignment to edit the policy configuration.

06 On the selected policy assignment page, in the PARAMETERS section, select Audit from Monitor storage blob encryption dropdown list to enable the monitoring of blob encryption for the storage account in the selected Azure subscription.

07 Click Save to apply the changes. If successful, the following message should be displayed: "Updating policy assignment succeeded". Once the configuration changes are saved, the "Monitor Storage Blob Encryption" feature becomes active for the selected Azure subscription.

08 If required, repeat steps no. 4 – 7 for other Microsoft Azure cloud subscription available.

Using Azure CLI and PowerShell

01 Define the necessary parameters for the account get-access-token command, where the storageEncryptionMonitoringEffect configuration parameter is enabled. Save the following content to a JSON file named enable-storage-encryption-monitoring.json and replace the highlighted details, i.e. <azure-subscription-id> and <policy-definition-id>, with your own Azure account details: 

{
   "properties":{
      "displayName":"ASC Default (subscription: <azure-subscription-id>)",
      "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/<policy-definition-id>",
      "scope":"/subscriptions/<azure-subscription-id>",
      "parameters":{
         "storageEncryptionMonitoringEffect":{
            "value":"Audit"
         }
      }
   },
   "id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
   "type":"Microsoft.Authorization/policyAssignments",
   "name":"SecurityCenterBuiltIn",
   "location":"eastus"
}

02 Run account get-access-token command (Windows/macOS/Linux) using the parameters defined at the previous step (i.e. enable-storage-encryption-monitoring.json file) to enable storage encryption monitoring and recommendations for the selected Microsoft Azure cloud subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01 -d@"enable-storage-encryption-monitoring.json"'

03 If successful, the command output should return the updated Azure Security Center policy: 

{
   "sku":{
  	"name":"A0",
  	"tier":"Free"
   },
   "properties":{
  	"displayName":"ASC Default (subscription: abcdabcd-1234-1234-1234-abcdabcdabcd)",
  	"parameters":{
     	"storageEncryptionMonitoringEffect":{
        	"value":"Audit"
     	}
  	},

  	...

   },
   "id":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
   "type":"Microsoft.Authorization/policyAssignments",
   "name":"SecurityCenterBuiltIn",
   "location":"eastus"
}

04 If required, repeat steps no. 1 – 3 for other Microsoft Azure cloud subscription available.

References

Publication date May 31, 2019

Related SecurityCenter rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Storage Encryption Monitoring

Risk level: Medium