last sync: 2021-Sep-24 16:09:49 UTC

Azure Policy definition

Storage account containing the container with activity logs must be encrypted with BYOK

Name Storage account containing the container with activity logs must be encrypted with BYOK
Azure Portal
Id fbb99e8e-e444-4da0-9ff1-75c92f5a85b2
Version 1.0.0
details on versioning
Category Monitoring
Microsoft docs
Description This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok.
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2019-12-11 09:18:30 add fbb99e8e-e444-4da0-9ff1-75c92f5a85b2
Used in Initiatives
Initiative DisplayName Initiative Id Initiative Category State
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA
JSON
{
  "displayName": "Storage account containing the container with activity logs must be encrypted with BYOK",
  "policyType": "BuiltIn",
  "mode": "All",
  "description": "This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. ",
  "metadata": {
    "version": "1.0.0",
    "category": "Monitoring"
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    }
  },
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Insights/logProfiles"
        },
        {
          "field": "Microsoft.Insights/logProfiles/storageAccountId",
          "exists": "true"
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": {
        "type": "Microsoft.Storage/storageAccounts",
        "existenceScope": "subscription",
        "existenceCondition": {
          "allOf": [
            {
              "value": "[contains(field('Microsoft.Insights/logProfiles/storageAccountId'), subscription().Id)]",
              "equals": "true"
            },
            {
              "field": "name",
              "equals": "[last(split(field('Microsoft.Insights/logProfiles/storageAccountId'),'/'))]"
            },
            {
              "field": "Microsoft.Storage/storageAccounts/encryption.keySource",
              "equals": "Microsoft.Keyvault"
            }
          ]
        }
      }
    }
  }
}