last sync: 2020-Sep-25 13:37:27 UTC

Azure Policy

Storage account containing the container with activity logs must be encrypted with BYOK

Policy DisplayName Storage account containing the container with activity logs must be encrypted with BYOK
Policy Id fbb99e8e-e444-4da0-9ff1-75c92f5a85b2
Policy Category Monitoring
Policy Description This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok.
Policy Mode All
Policy Type BuiltIn
Policy in Preview FALSE
Policy Deprecated FALSE
Policy Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
Roles used none
Policy Changes
Date/Time (UTC ymd) (i) Change Change detail
2019-12-11 09:18:30 add: Policy fbb99e8e-e444-4da0-9ff1-75c92f5a85b2
Used in Policy Initiative(s)
Initiative DisplayName Initiative Id
CIS Microsoft Azure Foundations Benchmark 1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d
Policy Rule
{
  "properties": {
    "displayName": "Storage account containing the container with activity logs must be encrypted with BYOK",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. ",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Insights/logProfiles"
          },
          {
            "field": "Microsoft.Insights/logProfiles/storageAccountId",
            "exists": "true"
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Storage/storageAccounts",
          "existenceScope": "subscription",
          "existenceCondition": {
            "allOf": [
              {
              "value": "[contains(field('Microsoft.Insights/logProfiles/storageAccountId'), subscription().Id)]",
                "equals": "true"
              },
              {
                "field": "name",
              "equals": "[last(split(field('Microsoft.Insights/logProfiles/storageAccountId'),'/'))]"
              },
              {
                "field": "Microsoft.Storage/storageAccounts/encryption.keySource",
                "equals": "Microsoft.Keyvault"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/fbb99e8e-e444-4da0-9ff1-75c92f5a85b2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "fbb99e8e-e444-4da0-9ff1-75c92f5a85b2"
}