Logging for for storage account customer managed key rotation

Janne Kujanpää 206 Reputation points
2022-12-19T15:57:55.517+00:00

I followed this guide https://video2.skills-academy.com/en-us/azure/storage/common/customer-managed-keys-overview to setup CMK.

I can see from storage account properties and change analysis tool that new key version was automatically configured.

I could not find any log entries on activity log. Did I miss key rotation log entries or is it true that key rotations are not being logged?

Edit:

Second rotation just(12 hours ago) happened on test environment:
* No entries on activity log. Nothing there.
* This time no data even on change analysis tool. Nothing there
* Storage account properties.encryption.keyvaultproperties.lastKeyRotationTimestamp and currentVersionedKeyIdentifier were updated properly

For me it looks like there is no reliable logging at all.

A screenshot of change analysis:
272182-image.png

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,875 questions
Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
162 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sumarigo-MSFT 44,996 Reputation points Microsoft Employee
    2022-12-26T08:19:11.2+00:00

    @Janne Kujanpää Welcome to Microsoft Q&A a Forum, Thank you for posting your query here!

    Customer-managed key is delivered on dedicated clusters providing higher protection level and control. Data to dedicated clusters is encrypted twice, once at the service level using Microsoft-managed keys or Customer-managed keys, and once at the infrastructure level, using two different encryption algorithms and two different keys.

    For Customer-managed key for saved queries and log alerts you can view through query language in Log Analytics.

    If we regenerate the access keys manually, that gets logged in the Activity Logs. The one you're mentioning here is about encryption keys in the scenario you can use Azure Monitor

    This article provides detailed information on Azure Monitor customer-managed key

    Please let us know if you have any further queries. I**’m happy to assist you further.**

    ----------

    Please do not forget to 273939-accept-answer.png and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

  2. Janne Kujanpää 206 Reputation points
    2023-01-03T08:56:12.347+00:00

    Still nothing on activity log even change analysis displays changes:

    275598-image.png
    275651-image.png

    0 comments
  3. Janne Kujanpää 206 Reputation points
    2023-01-29T14:54:34.6333333+00:00

    Storage account CMK rotations are not being logged at the moment. No known ETA for a fix.

    Source: support ticket: TrackingID#2301190050001532

    Date: 2022-01-20

    0 comments