compliance controls are associated with this Policy definition 'Maintain integrity of audit system' (c0559109-6a27-a217-6821-5a6d44f92897)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CIS_Azure_1.1.0 |
5.1.6 |
CIS_Azure_1.1.0_5.1.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.1.6 |
5 Logging and Monitoring |
Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) |
Shared |
The customer is responsible for implementing this recommendation. |
The storage account with the activity log export container is configured to use BYOK (Use Your Own Key). |
link |
4 |
| CIS_Azure_1.3.0 |
5.1.4 |
CIS_Azure_1.3.0_5.1.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 |
5 Logging and Monitoring |
Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) |
Shared |
The customer is responsible for implementing this recommendation. |
The storage account with the activity log export container is configured to use BYOK (Use Your Own Key). |
link |
4 |
| CIS_Azure_1.4.0 |
5.1.4 |
CIS_Azure_1.4.0_5.1.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 |
5 Logging and Monitoring |
Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) |
Shared |
The customer is responsible for implementing this recommendation. |
The storage account with the activity log export container is configured to use BYOK (Use Your Own Key). |
link |
4 |
| CIS_Azure_2.0.0 |
5.1.4 |
CIS_Azure_2.0.0_5.1.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 |
5.1 |
Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key |
Shared |
**NOTE:** You must have your key vault setup to utilize this.
All Audit Logs will be encrypted with a key you provide. You will need to set up customer managed keys separately, and you will select which key to use via the instructions here. You will be responsible for the lifecycle of the keys, and will need to manually replace them at your own determined intervals to keep the data secure. |
Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).
Configuring the storage account with the activity log export container to use CMKs provides additional confidentiality controls on log data, as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK. |
link |
4 |
| FedRAMP_High_R4 |
AU-9(3) |
FedRAMP_High_R4_AU-9(3) |
FedRAMP High AU-9 (3) |
Audit And Accountability |
Cryptographic Protection |
Shared |
n/a |
The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools.
Supplemental Guidance: Cryptographic mechanisms used for protecting the integrity of audit information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. Related controls: AU-10, SC-12, SC-13. |
link |
1 |
| NIST_SP_800-171_R2_3 |
.3.8 |
NIST_SP_800-171_R2_3.3.8 |
NIST SP 800-171 R2 3.3.8 |
Audit and Accountability |
Protect audit information and audit logging tools from unauthorized access, modification, and deletion. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements. |
link |
4 |
| NIST_SP_800-53_R4 |
AU-9(3) |
NIST_SP_800-53_R4_AU-9(3) |
NIST SP 800-53 Rev. 4 AU-9 (3) |
Audit And Accountability |
Cryptographic Protection |
Shared |
n/a |
The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools.
Supplemental Guidance: Cryptographic mechanisms used for protecting the integrity of audit information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. Related controls: AU-10, SC-12, SC-13. |
link |
1 |
| NIST_SP_800-53_R5 |
AU-9(3) |
NIST_SP_800-53_R5_AU-9(3) |
NIST SP 800-53 Rev. 5 AU-9 (3) |
Audit and Accountability |
Cryptographic Protection |
Shared |
n/a |
Implement cryptographic mechanisms to protect the integrity of audit information and audit tools. |
link |
1 |