Help Center
Go back to application
Help Center
Go back to application
Platform Terms GlossarySupport and Bug Reporting
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainingsGuidance
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explainedAuto Checks: AWS Auto Checks: GCPAuto Checks: AzureEnabling Auto Checks by Reconfiguring the Azure IntegrationEnabling Auto Checks by Reconfiguring the GCP IntegrationEnabling Auto Checks by Reconfiguring the AWS Integration
AWS Auto Checks Detailed Explanations
Azure Auto Checks Detailed Explanations
Verify that Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database ServerVerify that server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database ServerVerify that server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database ServerVerify that server parameter 'log_connections' is set to 'ON' for PostgreSQL Database ServerVerify that 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database ServerVerify that Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database ServerVerify that Activity Log Alert exists for Create Policy AssignmentVerify that Activity Log Alert exists for Create or Update Public IP Address ruleVerify that Activity Log Alert exists for Delete SQL Server Firewall RuleVerify that Activity Log Alert exists for Create or Update SQL Server Firewall RuleVerify that Activity Log Alert exists for Delete Network Security GroupVerify that the storage account containing the container with activity logs is encrypted with Customer Managed KeyVerify that Activity Log Alert exists for Delete Policy AssignmentVerify that Activity Log Alert exists for Create or Update Network Security GroupVerify that Diagnostic Setting captures appropriate categoriesVerify that Activity Log Alert exists for Create or Update Security SolutionVerify that Activity Log Alert exists for Delete Public IP Address ruleVerify that logging for Azure AppService 'HTTP logs' is enabledVerify that logging for Azure Key Vault is 'Enabled'Verify that the Expiration Date is set for all Keys in RBAC Key VaultsEnable Role Based Access Control for Azure Key VaultVerify that Private Endpoints are Used for Azure Key VaultVerify that the Key Vault is RecoverableVerify that HTTP(S) access from the Internet is evaluated and restricted

Verify that the storage account containing the container with activity logs is encrypted with Customer Managed Key

Framework Reference: A.8.24 Integration: Azure – Monitor + Storage Accounts

Why this matters

Azure Activity Logs may contain sensitive security and operational data. By default, these logs are encrypted with Microsoft-managed keys. Enabling Customer Managed Keys (CMKs) allows your organization to retain full control over encryption and key lifecycle management, aligning with stricter compliance requirements and data governance policies.

Using CMKs ensures that only authorized identities with explicit decryption rights can access log data—adding a second layer of access control beyond storage-level permissions.

What this check does

This Auto Check verifies that the Azure storage account configured for exporting Activity Logs uses Customer Managed Key encryption.

Check Logic:
Passes if:

  • The storage account associated with Activity Log exports has:
  • encryption.keySource set to Microsoft.Keyvault
  • encryption.keyVaultProperties is not null

Fails if:

  • The key source is Microsoft.Storage (i.e., Microsoft-managed keys) or if no CMK is configured.
  • The check queries:
  • Active diagnostic settings for activity log export
  • Associated storage account encryption configuration

How to fix it

Use Azure Portal, CLI, or PowerShell to configure a Customer Managed Key on the relevant storage account.

Azure Portal:

  1. Go to Monitor > Activity Log > Export Activity Logs.
  2. Select the subscription and note the associated Storage Account.
  3. Navigate to Storage Accounts, and select the noted account.
  4. Go to Encryption under Security + networking.
  5. Change Encryption type to Customer-managed keys.
  6. Select the appropriate Key Vault and CMK.
  7. Save the configuration.

Azure CLI:

az storage account update \  --name <storage-account-name> \  --resource-group <resource-group-name> \  --encryption-key-source Microsoft.Keyvault \  --encryption-key-vault <key-vault-uri> \  --encryption-key-name <key-name> \  --encryption-key-version <key-version>

PowerShell:

Set-AzStorageAccount `  -ResourceGroupName "<resource-group-name>" `  -Name "<storage-account-name>" `  -KeyvaultEncryption `  -KeyVaultUri "<key-vault-uri>" `  -KeyName "<key-name>"

Ensure the selected Key Vault allows the storage account identity to access and decrypt the key.

Exceptions

CMK is typically required in highly regulated environments. If your organization is using Microsoft-managed keys by design, document the risk acceptance and ensure logs are still protected under least privilege and access auditing policies. CMK configuration requires pre-setup of Key Vault and key rotation responsibility remains with your organization.

Further resources

Was this article helpful?

Powered by Product Fruits