Azure-SecurityCenter-Monitor-Blob-Encryption

Severity: High

Description: This control ensures that Audit missing blob encryption for storage account' is enabled for at least one policy assignment with policy definition Enable Monitoring in Azure Security Center. When this setting is not disabled, any new data in Azure Blobs and Files will be encrypted.

Remediation Steps:

Perform following to update parameters:

1. Login to Azure Portal using https://portal.azure.com.

2. Go to Policy service.

3. On Policy overview, Click onDefault/Custom Policy.

4. Click on Edit Assignments.

5. In Basics menu, check there are no exclusions added for resource Group.

6. Set Policy Enforcement to Enabled.

7. Goto Parameters and set Audit missing blob encryption for storage account to AuditIfNotExist

8. Click Review + save.

Important:

• Along with ASC Default assignment, there could be custom policy assignments with the policy definition "Enable Monitoring in Azure Security Center". 'Audit missing blob encryption for storage account' should be enabled for at least one of such assignments.

Reference:

• https://docs.microsoft.com/en-us/azure/security-center/security-center-policies

• https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-encryption-for-storage-account

• https://msdn.microsoft.com/en-us/library/mt704062.aspx

• https://msdn.microsoft.com/en-us/library/mt704063.aspx

• https://docs.microsoft.com/en-us/rest/api/resources/policyassignments/get

• https://docs.microsoft.com/en-us/rest/api/resources/policyassignments/create