Verify that the storage account containing the container with activity logs is encrypted with Customer Managed Key
Why this matters
Azure Activity Logs may contain sensitive security and operational data. By default, these logs are encrypted with Microsoft-managed keys. Enabling Customer Managed Keys (CMKs) allows your organization to retain full control over encryption and key lifecycle management, aligning with stricter compliance requirements and data governance policies.
Using CMKs ensures that only authorized identities with explicit decryption rights can access log data—adding a second layer of access control beyond storage-level permissions.
What this check does
This Auto Check verifies that the Azure storage account configured for exporting Activity Logs uses Customer Managed Key encryption.
Check Logic:
Passes if:
- The storage account associated with Activity Log exports has:
encryption.keySource
set toMicrosoft.Keyvault
encryption.keyVaultProperties
is not null
Fails if:
- The key source is
Microsoft.Storage
(i.e., Microsoft-managed keys) or if no CMK is configured. - The check queries:
- Active diagnostic settings for activity log export
- Associated storage account encryption configuration
How to fix it
Use Azure Portal, CLI, or PowerShell to configure a Customer Managed Key on the relevant storage account.
Azure Portal:
- Go to Monitor > Activity Log > Export Activity Logs.
- Select the subscription and note the associated Storage Account.
- Navigate to Storage Accounts, and select the noted account.
- Go to Encryption under Security + networking.
- Change Encryption type to Customer-managed keys.
- Select the appropriate Key Vault and CMK.
- Save the configuration.
Azure CLI:
az storage account update \
--name <storage-account-name> \
--resource-group <resource-group-name> \
--encryption-key-source Microsoft.Keyvault \
--encryption-key-vault <key-vault-uri> \
--encryption-key-name <key-name> \
--encryption-key-version <key-version>
PowerShell:
Set-AzStorageAccount `
-ResourceGroupName "<resource-group-name>" `
-Name "<storage-account-name>" `
-KeyvaultEncryption `
-KeyVaultUri "<key-vault-uri>" `
-KeyName "<key-name>"
Ensure the selected Key Vault allows the storage account identity to access and decrypt the key.
Exceptions
CMK is typically required in highly regulated environments. If your organization is using Microsoft-managed keys by design, document the risk acceptance and ensure logs are still protected under least privilege and access auditing policies. CMK configuration requires pre-setup of Key Vault and key rotation responsibility remains with your organization.