Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
Encrypting the IaaS VM's OS disk (boot volume), Data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. CMK is superior encryption although requires additional planning.
Risk Level: High
Cloud Entity: Virtual Machine
CloudGuard Rule ID: D9.AZU.CRY.18
Covered by Spectral: No
Category: Compute
GSL LOGIC
VirtualMachine should have (disks contain [getResource('Disk',name,'name') contain [properties.encryptionSettingsCollection.enabled=true]])
REMEDIATION
From Portal
- Create a cryptographic key in an Azure Key Vault.
- Configure the cryptographic key to be usable for encrypting disks.
- Enable disk encryption for your virtual disks.
- The required cryptographic keys are requested from Azure Key Vault.
- The virtual disks are encrypted using the provided cryptographic key.
From TF
NOTE : Set the 'enabled' argument to 'true':
resource "azurerm_managed_disk" "example" {
..
encryption_settings{
enabled = true
disk_encryption_key{
..
secret_url= 'KeySecretUrl'
source_vault_id= 'KeySourceID'
..
}
}
..
}
From Command Line
To add update disk encryption to CMK, run:
az disk update --name DISKNAME --resource-group RESOURCEGROUP --encryption-type EncryptionAtRestWithCustomerKey --disk-encryption-set DISK_ENCRYPTION_SETID
References
- https://learn.microsoft.com/en-us/azure/devtest-labs/encrypt-disks-customer-managed-keys
- https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/managed_disk#enabled
- https://learn.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update
Virtual Machine
Azure Virtual Machines (VM) is one of several types of on-demand, scalable computing resources that Azure offers. Typically, you choose a VM when you need more control over the computing environment than the other choices offer. This article gives you information about what you should consider before you create a VM, how you create it, and how you manage it.
Compliance Frameworks
- AZU PCI-DSS 4.0
- Azure CIS Foundations v. 1.1.0
- Azure CIS Foundations v. 1.2.0
- Azure CIS Foundations v. 1.3.0
- Azure CIS Foundations v. 1.3.1
- Azure CIS Foundations v. 1.4.0
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CSA CCM v.4.0.1
- Azure CloudGuard Best Practices
- Azure CloudGuard CheckUp
- Azure HITRUST v9.5.0
- Azure ITSG-33
- Azure NIST 800-53 Rev 5
- Azure Security Risk Management
- CloudGuard Azure All Rules Ruleset
- Microsoft Cloud Security Benchmark
Updated over 1 year ago