Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)

Managed disks are encrypted by default with Platform-managed keys. Using Customer-managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks which may lead to sensitive information disclosure and tampering.

Risk Level: Low
Cloud Entity: Azure Disk Storage
CloudGuard Rule ID: D9.AZU.CRY.26
Covered by Spectral: No
Category: Compute


Disk where properties.diskState='Unattached' should have properties.encryption='EncryptionAtRestWithPlatformAndCustomerKeys' or properties.encryption='EncryptionAtRestWithCustomerKey'


From Portal

  1. Go to Disks
  2. Click on Add Filter
  3. In the filter field select Disk state
  4. In the Value field select Unattached
  5. Click Apply
  6. For each disk listed ensure that Encryption type in the encryption blade is Encryption at-rest with a customer-managed key.
  7. Select the 'Disk Encryption Set' and Click on Save.

Note:You must have your key vault and Disk EncryptionSet in order to configure this.

From TF
Set the 'enabled' argument to 'true':

resource "azurerm_managed_disk" "example" {
		enabled = true
			secret_url= 'KeySecretUrl'
			source_vault_id= 'KeySourceID'

From Command Line

az disk update --name DISKNAME --resource-group RESOURCEGROUPNAME --encryption-type EncryptionAtRestWithCustomerKey --disk-encryption-set DISKENCRYPTIONID


Azure Disk Storage

Designed to be used with Azure Virtual Machines and Azure VMware Solution (in preview), Azure Disk Storage offers high-performance, durable block storage for your mission- and business-critical applications

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • Azure Security Risk Management
  • CloudGuard Azure All Rules Ruleset
  • Microsoft Cloud Security Benchmark