AzPolicyAdvertizer

last sync: 2021-Sep-24 16:09:49 UTC

Azure Policy definition

Storage account containing the container with activity logs must be encrypted with BYOK

Name Storage account containing the container with activity logs must be encrypted with BYOK
Azure Portal

Id fbb99e8e-e444-4da0-9ff1-75c92f5a85b2

Version 1.0.0
details on versioning

Category Monitoring
Microsoft docs

Description This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok.

Mode All

Type BuiltIn

Preview FALSE

Deprecated FALSE

Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)

Used RBAC Role none

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2019-12-11 09:18:30	add	fbb99e8e-e444-4da0-9ff1-75c92f5a85b2

Used in Initiatives

Initiative DisplayName	Initiative Id	Initiative Category	State
CIS Microsoft Azure Foundations Benchmark v1.1.0	1a5bb27d-173f-493e-9568-eb56638dde4d	Regulatory Compliance	GA
CIS Microsoft Azure Foundations Benchmark v1.3.0	612b5213-9160-4969-8578-1518bd2a000c	Regulatory Compliance	GA

JSON

{
  "displayName": "Storage account containing the container with activity logs must be encrypted with BYOK",
  "policyType": "BuiltIn",
  "mode": "All",
  "description": "This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. ",
  "metadata": {
    "version": "1.0.0",
    "category": "Monitoring"
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    }
  },
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Insights/logProfiles"
        },
        {
          "field": "Microsoft.Insights/logProfiles/storageAccountId",
          "exists": "true"
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": {
        "type": "Microsoft.Storage/storageAccounts",
        "existenceScope": "subscription",
        "existenceCondition": {
          "allOf": [
            {
              "value": "[contains(field('Microsoft.Insights/logProfiles/storageAccountId'), subscription().Id)]",
              "equals": "true"
            },
            {
              "field": "name",
              "equals": "[last(split(field('Microsoft.Insights/logProfiles/storageAccountId'),'/'))]"
            },
            {
              "field": "Microsoft.Storage/storageAccounts/encryption.keySource",
              "equals": "Microsoft.Keyvault"
            }
          ]
        }
      }
    }
  }
}