Storage Accounts

Blob Service Encryption Disabled

Risk Level: Medium

Description  

The plugin checks that the encryption data-at-rest is enabled. Enabling encryption adds a second layer of protection to the stored blobs. By default, the keys used for encryption are azure generated but it is recommended that the users implement the keys using the azure key vault.

About the Service

Storage Accounts: An azure storage account is used to store the customer’s data objects such as files, queues, shares, etc. The storage accounts ensure high availability for the clients and allot a unique namespace for the storage data and are accessible from anywhere around the world using HTTP or HTTPS protocols.

Impact

Enabling encryption for the blobs will add another layer of security to it and enhance the base security hence, it is advised that the encryption is enabled along with user-generated keys. 

Steps to Reproduce

  1. Log in to the Azure portal.
  2. Click on Storage accounts for Services.
  3. Select any one of the provided accounts to check for the policy.
  4. From the navigation bar, select Containers from Data storage
  5. From here we will check for two things,
    1. If Infrastructure encryption is set to "disabled", check the Steps to remediation section.
    2. Check the value set for the Encryption type, if it is set to ‘Disabled’, check the Steps for Remediation under the document.
  6. Repeat the process for other accounts as well.

Steps for Remediation

  1. Log in to the Azure portal.
  2. Click on Storage accounts for Services.
  3. Select any one of the provided accounts to check for the policy.
  4. From the navigation bar, select Containers from Data storage.
  5. If the Infrastructure Encryption is disabled, follow the below steps, else proceed to step 6.
  6. Since Infrastructure Encryption can only be enabled during the creation. Users will have to create a new blob container and then push the blobs there. 
  7. After filling the Basics section for storage account creation, to enable the Infrastructure Encryption, go to the Advanced section. Select the “ ” option, configure all the other requirements and click on Review + create.
  8. Change encryption type to “Customer-managed keys” in front of Encryption type. Now, in the Encryption key under Key selection select “Select from key vault”. From Key vault and key go to “Select a key vault and key”.
  9. The Select key window will appear. Click on “Key vault” for Key Store type. Select the vault to be associated with the generated key. 
  10. Click on “Create new key” in front of the Key option. Select required configurations and click on create.
  11. Click on Select and then Save.
  12. Repeat the process for other accounts as well.

References:

https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption

Please feel free to reach out to support@pingsafe.ai with any questions that you may have.

Thanks

PingSafe Support