This post is part of a series, for the series contents see:
Now that I’ve got some infrastructure in place I thought it was worth having a play with Azure Security Center.
It looks like it gets enabled automatically as the free tier was already up and running on my subscription and had created it’s own storage account for the data. Not really ideal as I like to use my own naming standard, so, first things first, I setup a new storage account in my security resource group for the data.
As it’s going to be holding security data it seemed like a good opportunity to create an encrypted blob storage account.
#Login to Azure and resource manager Add-AzureAccount Login-AzureRmAccount #Just in case you have multiple subscriptions check which one you're working in Get-AzureSubscription #If you need to select your test subscription use: #Set-AzureSubscription -SubscriptionName <name> #First the resource group $RGName = "security-rg" $Location = "North Europe" #Create an encrypted storage account for Azure Security Center #Currently encryption is only available for Azure Blob New-AzureRmStorageAccount -ResourceGroupName $RGName -AccountName "securitylogstr" -Location $Location -Type "Standard_LRS" -EnableEncryptionService Blob
I struggled to find the PowerShell to set this up documented anywhere but managed find it by simply playing with the options of the cmdlet. The key switch is “-EnableEncryptionService Blob” to turn on the encryption. I’m specifying “blob” storage here as it works for me, but in reality it’s the only option available at the moment anyway as specified here.
A thing about storage account encryption is that you need to get it setup up front. If you have an existing storage account that you then enable encryption on, that encryption will only apply data stored there from that point onward. Anything that was already there won’t be retrospectively encrypted. Another thing to note is that you don’t hold the keys, Microsoft does. Although it does appear that there are plans to change that in the future.
There doesn’t seem to be much in the way of PowerShell cmdlets to configure Security Center yet so into the GUI we go., first of all simply to set it to log data to my new storage account:
Then to switch from the free tier to the standard tier, simply because you can try it for 60 days for free, so I thought: why not?
With everything enabled here’s what Azure recommends for me:
I guess that means my next post will be about disk encryption….