Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Monitor Storage Blob Encryption

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SecurityCenter-011

Ensure that the monitoring of the Microsoft Azure Storage Accounts encrypted with customer-managed keys is enabled within the Microsoft Defender for Cloud security policy.

Security

To secure your Azure Storage Accounts resources with greater flexibility and meet stringent compliance requirements you can use customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your Storage Accounts data. Using customer-managed keys provides additional capabilities to control the rotation of the encryption key or cryptographically erase data.

Audit

To determine if the monitoring of the Storage Accounts encrypted with customer-managed keys is enabled within the Microsoft Defender for Cloud security policy, perform the following actions:

Using Azure Console

  1. Sign in to the Microsoft Azure Portal.

  2. Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

  3. In the main navigation panel, under Management, choose Environment settings.

  4. Click on the name (link) of the Azure subscription that you want to examine.

  5. In the navigation panel, under Policy settings, choose Security policy.

  6. In the Default initiative section, click on the name of the default initiative enabled for the selected subscription (i.e. ASC Default (subscription: &ltb;subscription-id>)).

  7. Choose the Parameters tab, uncheck Only show parameters that need input or review, and search for the following parameter: Storage accounts should use customer-managed key for encryption. If the Storage accounts should use customer-managed key for encryption parameter is set to Disabled, the monitoring of the Azure Storage Accounts encrypted with customer-managed keys is not enabled in the selected subscription.

  8. Repeat steps no. 4 – 7 for each Microsoft Azure subscription created within your Azure account.

Using Azure CLI and PowerShell

  1. Run account get-access-token command (Windows/macOS/Linux) using custom query filters to determine if the monitoring of the storage resources encrypted with customer-managed keys is enabled within the current Azure subscription by checking the storageAccountsShouldUseCustomerManagedKeyForEncryptionMonitoringEffect configuration parameter value:

    az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01' | jq 'select(.name=="SecurityCenterBuiltIn")'|jq '.properties.parameters.storageAccountsShouldUseCustomerManagedKeyForEncryptionMonitoringEffect.value'

  2. The command output should return the requested parameter value:

    "Disabled"

    If the account get-access-token command output returns "Disabled", as shown in the output example above, the monitoring of the Azure Storage Accounts encrypted with customer-managed keys is not enabled within the current subscription.

  3. Repeat steps no. 1 and 2 for each Microsoft Azure subscription available in your Azure cloud account.

Remediation / Resolution

To enable the monitoring of the Microsoft Azure Storage Accounts encrypted with customer-managed keys, perform the following actions:

Using Azure Console

  1. Sign in to the Microsoft Azure Portal.

  2. Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

  3. In the main navigation panel, under Management, choose Environment settings.

  4. Click on the name (link) of the Azure subscription that you want to access.

  5. In the navigation panel, under Policy settings, choose Security policy.

  6. In the Default initiative section, click on the name of the default initiative enabled for the selected subscription (i.e. ASC Default (subscription: <subscription-id>)).

  7. Choose the Parameters tab and uncheck the Only show parameters that need input or review checkbox to list all the initiative parameters.

  8. Select Audit from the Storage accounts should use customer-managed key for encryption parameter dropdown list to enable the monitoring of the Azure Storage Accounts encrypted with customer-managed keys using the Microsoft Defender for Cloud service.

  9. Select Review + save to review the configuration changes, then choose Save to apply the new changes. If the operation is successful, the following confirmation message should be displayed: "Updating policy assignment succeeded".

  10. Repeat steps no. 4 – 9 for each Microsoft Azure subscription available within your Azure account.

Using Azure CLI and PowerShell

  1. Define the configuration parameters for the account get-access-token command, where the storageAccountsShouldUseCustomerManagedKeyForEncryptionMonitoringEffect parameter is enabled to turn on the monitoring feature. Save the configuration document to a JSON file named enable-encryption-with-cmk-monitoring.json and replace the highlighted details, i.e. <azure-subscription-id> and <policy-definition-id>, with your own Azure account subscription details:

    {
  "properties":{
     "displayName":"ASC Default (subscription: <azure-subscription-id>)",
     "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/<policy-definition-id>",
     "scope":"/subscriptions/<azure-subscription-id>",
     "parameters":{
        "storageAccountsShouldUseCustomerManagedKeyForEncryptionMonitoringEffect":{
           "value":"Audit"
        }
     }
  },
  "id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
  "type":"Microsoft.Authorization/policyAssignments",
  "name":"SecurityCenterBuiltIn",
  "location":"eastus"
}

  2. Run account get-access-token command (Windows/macOS/Linux) using the configuration document defined at the previous step (i.e. enable-encryption-with-cmk-monitoring.json file), to enable the monitoring of the Azure Storage Accounts encrypted with customer-managed keys using the Microsoft Defender for Cloud service:

    az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01 -d@"enable-encryption-with-cmk-monitoring.json"'

  3. The command output should return information about the modified configuration parameter:

    {
  "sku": {
    "name": "A0",
    "tier": "Free"
  },
  "properties": {
    "displayName": "ASC Default (subscription: abcdabcd-1234-1234-1234-abcdabcdabcd)",
    "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1234abcd-1234-1234-1234-abcd1234abcd",
    "scope": "/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd",
    "parameters": {
      "storageAccountsShouldUseCustomerManagedKeyForEncryptionMonitoringEffect": {
        "value": "Audit"
      }
    },
    "metadata": {
      "createdBy": "abcdabcd-1234-1234-1234-abcdabcdabcd",
      "createdOn": "2019-05-17T15:38:40.3473931Z",
      "updatedBy": "1234abcd-1234-1234-1234-abcd1234abcd",
      "updatedOn": "2022-02-01T21:22:40.7422203Z"
    }
  },
  "id": "/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
  "type": "Microsoft.Authorization/policyAssignments",
  "name": "SecurityCenterBuiltIn",
  "location": "eastus"
}

  4. Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your Azure cloud account.

References

Publication date May 31, 2019

Related SecurityCenter rules