Enable Infrastructure Encryption

Risk Level: High (not acceptable risk)

Rule ID: StorageAccounts-024

Ensure that Infrastructure Encryption feature is enabled for your Azure Storage accounts in order to use encryption at the hardware level on top of the default software encryption provided by Microsoft Azure cloud.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

By default, the data stored within your Microsoft Azure Storage accounts (blobs, disks, files, queues, and tables) is automatically encrypted at rest using 256-bit AES encryption. For Azure customers seeking enhanced data security, an option is to enable encryption at the infrastructure level of Azure Storage, providing double encryption. This approach safeguards Azure Storage data by applying two encryption layers, which helps mitigate potential risks associated with compromised encryption algorithms or keys. Furthermore, the data is encrypted prior to network transmission and during all backup processes, ensuring continuous protection.

Audit

To determine if infrastructure encryption is enabled for your Microsoft Azure Storage accounts, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Storage blade at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts.

03 On the Storage accounts page, select the subscription that you want to examine from the Subscription filter box and choose Apply.

04 Click on the name (link) of the Azure Storage account that you want to examine.

05 In the blade navigation panel, under Security + networking, choose Encryption to access the encryption settings available for the selected storage account.

06 Choose the Encryption tab, and check the Infrastructure encryption configuration setting. If the Infrastructure encryption setting status is set to Disabled, infrastructure encryption is not enabled for the selected Microsoft Azure Storage account.

07 Repeat steps no. 4 – 6 for each storage account available within the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage account list command (Windows/macOS/Linux) with custom query filters to describe the identifier of each storage account available in the selected Azure subscription:

az storage account list 
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
  --query '[*].name'

02 The command output should return the requested resource identifiers (names):

[
    "prodstorageaccount",
    "mediastorageaccount",
    "project5storageaccount"
]

03 Run storage account show command (Windows/macOS/Linux) using the name of the Azure Storage account that you want to examine as the identifier parameter and custom query filters to describe the configuration status of the Infrastructure Encryption feature for the selected storage account:

az storage account show
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
  --name prodstorageaccount
  --query '{"requireInfrastructureEncryption":encryption.requireInfrastructureEncryption}'

04 The command output should return the requested configuration status:

{
    "requireInfrastructureEncryption": null
}

If the storage account show command output returns null or false for "requireInfrastructureEncryption", as shown in the example above, the Infrastructure Encryption feature is not enabled for the selected Microsoft Azure Storage account.

05 Repeat steps no. 3 and 4 for each storage account provisioned in the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

Infrastructure encryption adds an additional layer of encryption to your storage account's data. To enable infrastructure encryption for your existing Microsoft Azure Storage accounts, you must re-create your storage accounts with the appropriate encryption configuration by performing the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Storage blade at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts.

03 On the Storage accounts page, select the subscription that you want to access from the Subscription filter box and choose Apply.

04 Choose Create and follow the setup wizard to configure your new Azure Storage account.

05 For Encryption, select the Enable infrastructure encryption checkbox to enable infrastructure encryption for your new storage accounts.

06 Configure the required settings based on your existing (source) storage account configuration, select Review to review the configuration details, and choose Create to create your new Microsoft Azure Storage account.

07 Repeat steps no. 4 – 6 for each storage account that you want to re-create, available in the selected Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription available within your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage account create command (Windows/macOS/Linux) to create your new Microsoft Azure Storage account. Add the --require-infrastructure-encryption parameter to the command request to enable infrastructure encryption for the new storage account:

az storage account create
  --name newprodstorageaccount 
  --resource-group cloud-shell-storage-westeurope 
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
  --location westeurope 
  --kind StorageV2 
  --sku Standard_LRS 
  --require-infrastructure-encryption

02 The command output should return the configuration information available for the new storage account:

{
    "accessTier": "Hot",
    "allowBlobPublicAccess": true,
    "allowCrossTenantReplication": null,
    "allowSharedKeyAccess": null,
    "allowedCopyScope": null,
    "azureFilesIdentityBasedAuthentication": null,
    "blobRestoreStatus": null,
    "creationTime": "2023-06-06T14:26:44.921726+00:00",
    "customDomain": null,
    "defaultToOAuthAuthentication": null,
    "dnsEndpointType": null,
    "enableHttpsTrafficOnly": true,
    "enableNfsV3": null,
    "encryption": {
        "encryptionIdentity": null,
        "keySource": "Microsoft.Storage",
        "keyVaultProperties": null,
        "requireInfrastructureEncryption": true,
        "services": {
            "blob": {
                "enabled": true,
                "keyType": "Account",
                "lastEnabledTime": "2023-06-06T14:26:45.218582+00:00"
            },
            "file": {
                "enabled": true,
                "keyType": "Account",
                "lastEnabledTime": "2023-06-06T14:26:45.218582+00:00"
            },
            "queue": null,
            "table": null
        }
    },
    "extendedLocation": null,
    "failoverInProgress": null,
    "geoReplicationStats": null,
    "identity": null,
    "immutableStorageWithVersioning": null,
    "isHnsEnabled": null,
    "isLocalUserEnabled": null,
    "isSftpEnabled": null,
    "keyCreationTime": {
        "key1": "2023-06-06T14:26:45.202956+00:00",
        "key2": "2023-06-06T14:26:45.202956+00:00"
    },
    "keyPolicy": null,
    "kind": "StorageV2",
    "largeFileSharesState": null,
    "lastGeoFailoverTime": null,
    "location": "westeurope",
    "minimumTlsVersion": "TLS1_0",
    "name": "newprodstorageaccount",
    "networkRuleSet": {
        "bypass": "AzureServices",
        "defaultAction": "Allow",
        "ipRules": [],
        "resourceAccessRules": null,
        "virtualNetworkRules": []
    },
    "primaryLocation": "westeurope",
    "privateEndpointConnections": [],
    "provisioningState": "Succeeded",
    "publicNetworkAccess": null,
    "resourceGroup": "cloud-shell-storage-westeurope",
    "routingPreference": null,
    "sasPolicy": null,
    "secondaryEndpoints": null,
    "secondaryLocation": null,
    "sku": {
        "name": "Standard_LRS",
        "tier": "Standard"
    },
    "statusOfPrimary": "available",
    "statusOfSecondary": null,
    "storageAccountSkuConversionStatus": null,
    "tags": {},
    "type": "Microsoft.Storage/storageAccounts"
}

03 Repeat steps no. 1 and 2 for each storage account that you want to re-create, available in the selected Azure subscription.

04 Repeat steps no. 1 – 3 for each subscription available within your Microsoft Azure cloud account.

References

Azure Official Documentation
Azure Storage encryption for data at rest
Enable infrastructure encryption for double encryption of data
Security Control v3: Data protection

Publication date Dec 17, 2019

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Enable Infrastructure Encryption

Risk Level: High

Audit

Using Azure Console

Using Azure CLI

Remediation / Resolution

Using Azure Console

Using Azure CLI

References

Related StorageAccounts rules