Risk Level: High
Cloud Entity: Virtual Machine
CloudGuard Rule ID: D9.AZU.CRY.18
Covered by Spectral: No
Category: Compute

GSL LOGIC

VirtualMachine should have (disks contain [getResource('Disk',name,'name') contain [properties.encryptionSettingsCollection.enabled=true]])

REMEDIATION

From Portal

Create a cryptographic key in an Azure Key Vault.
Configure the cryptographic key to be usable for encrypting disks.
Enable disk encryption for your virtual disks.
The required cryptographic keys are requested from Azure Key Vault.
The virtual disks are encrypted using the provided cryptographic key.

From TF
NOTE : Set the 'enabled' argument to 'true':

resource "azurerm_managed_disk" "example" {
	..
	encryption_settings{
		enabled = true
		disk_encryption_key{
			..
			secret_url= 'KeySecretUrl'
			source_vault_id= 'KeySourceID'
			..
		}
	}
	..
}

From Command Line
To add update disk encryption to CMK, run:

az disk update --name DISKNAME --resource-group RESOURCEGROUP --encryption-type EncryptionAtRestWithCustomerKey --disk-encryption-set DISK_ENCRYPTION_SETID

References

Virtual Machine

Azure Virtual Machines (VM) is one of several types of on-demand, scalable computing resources that Azure offers. Typically, you choose a VM when you need more control over the computing environment than the other choices offer. This article gives you information about what you should consider before you create a VM, how you create it, and how you manage it.

Compliance Frameworks

AZU PCI-DSS 4.0
Azure CIS Foundations v. 1.1.0
Azure CIS Foundations v. 1.2.0
Azure CIS Foundations v. 1.3.0
Azure CIS Foundations v. 1.3.1
Azure CIS Foundations v. 1.4.0
Azure CIS Foundations v. 1.5.0
Azure CIS Foundations v.2.0
Azure CSA CCM v.4.0.1
Azure CloudGuard Best Practices
Azure CloudGuard CheckUp
Azure HITRUST v9.5.0
Azure ITSG-33
Azure NIST 800-53 Rev 5
Azure Security Risk Management
CloudGuard Azure All Rules Ruleset
Microsoft Cloud Security Benchmark