Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)

Encrypting the IaaS VM's OS disk (boot volume), Data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. CMK is superior encryption although requires additional planning.

Risk Level: High
Cloud Entity: Virtual Machine
CloudGuard Rule ID: D9.AZU.CRY.18
Covered by Spectral: No
Category: Compute


VirtualMachine should have (disks contain [getResource('Disk',name,'name') contain [properties.encryptionSettingsCollection.enabled=true]])


From Portal

  1. Create a cryptographic key in an Azure Key Vault.
  2. Configure the cryptographic key to be usable for encrypting disks.
  3. Enable disk encryption for your virtual disks.
  4. The required cryptographic keys are requested from Azure Key Vault.
  5. The virtual disks are encrypted using the provided cryptographic key.

From TF
NOTE : Set the 'enabled' argument to 'true':

resource "azurerm_managed_disk" "example" {
		enabled = true
			secret_url= 'KeySecretUrl'
			source_vault_id= 'KeySourceID'

From Command Line
To add update disk encryption to CMK, run:

az disk update --name DISKNAME --resource-group RESOURCEGROUP --encryption-type EncryptionAtRestWithCustomerKey --disk-encryption-set DISK_ENCRYPTION_SETID


  1. https://learn.microsoft.com/en-us/azure/devtest-labs/encrypt-disks-customer-managed-keys
  2. https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/managed_disk#enabled
  4. https://learn.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update

Virtual Machine

Azure Virtual Machines (VM) is one of several types of on-demand, scalable computing resources that Azure offers. Typically, you choose a VM when you need more control over the computing environment than the other choices offer. This article gives you information about what you should consider before you create a VM, how you create it, and how you manage it.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure CloudGuard CheckUp
  • Azure HITRUST v9.5.0
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • Azure Security Risk Management
  • CloudGuard Azure All Rules Ruleset
  • Microsoft Cloud Security Benchmark