HIGH
Source
CloudSploit
ID
blob-service-encryption

Blob Service Encryption

Ensures encryption is properly configured for Blob Services

Blob Services can be configured to encrypt data-at-rest. By default Azure will create a set of keys to encrypt Blob Services, but the recommended approach is to create your own keys using Azure Key Vault.

Follow the appropriate remediation steps below to resolve the issue.

  1. Log in to the Microsoft Azure Management Console.

  2. Select the “Search resources, services, and docs” option at the top and search for “Storage accounts.”Step

  3. On the “Storage account” page, select the account by clicking on its “Name”.Step

  4. On the configuration page scroll down the left navigation panel and select “Containers” under “Data Storage.” Step

  5. Select the “Container” on the “Containers” page.Step

  6. Scroll down the “Storage account” navigation panel and select “Encryption” under “Security + networking.”Step

  7. On the “Encryption page” scroll down and check the “Encryption type”. If “Microsoft-managed keys” is selected, then “BYOK encryption” is not configured in the Blob Service Encryption.Step

  8. To enable “BYOK encryption” select “Encryption type” as “Customer-managed keys”. In the “Encryption key” select option “Select from key vault”. Step

  9. In the “Key Vault and key” click on the blue hughlighted text “Select a key vault and key”. Step

  10. On the “Select a key” page, select “Key store type” as “Key vault”. In the “Key vault” and “key” options, select the key vault and key from the dropdown or you can create your own key vault and key. Click “Select” button at the end to save the selected options.Step

  11. Click on the “Save” button at the end to make the changes.Step

  12. Repeat step number 3 - 11 to ensure the Storage Account used by Blob Services is configured with a BYOK key.