Virtual Machines should use Managed Disks Affecting Storage service in Azure

Severity Framework Snyk CCSS

Rule category Data / Encryption Protocols

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Azure

Snyk ID SNYK-CC-00695
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Virtual Machines should use Managed Disks. Virtual Machine managed disks are designed for security and reliability in mind, so in most cases, users should use managed disks instead of their own disks. Managed disks are encrypted by default with Microsoft-managed keys, and are integrated with availability sets and support availability zones for high availability.

How to fix?

Virtual Machines should use Managed Disks for OS and data.

Example Configuration

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Compute/virtualMachines",
            "apiVersion": "2022-03-01",
            "name": "allowed1",
            "location": "[resourceGroup().location]",
            "dependsOn": [
                "[resourceId('Microsoft.Network/networkInterfaces', 'example-nic1-695')]",
                "[resourceId('Microsoft.Compute/disks', 'example-md1-695')]"
            ],
            "properties": {
                "hardwareProfile": {
                    "vmSize": "Standard_DS1_v2"
                },
                "osProfile": {
                    "computerName": "hostname695-1",
                    "adminUsername": "testadmin",
                    "adminPassword": "Password1234!"
                },
                "storageProfile": {
                    "imageReference": {
                        "publisher": "Canonical",
                        "offer": "UbuntuServer",
                        "sku": "16.04-LTS",
                        "version": "latest"
                    },
                    "osDisk": {
                        "name": "myosdisk695-1",
                        "createOption": "FromImage",
                        "deleteOption": "Delete",
                        "managedDisk": {
                            "storageAccountType": "Standard_LRS"
                        }
                    },
                    "dataDisks": [
                        {
                            "name": "example-md1-695",
                            "diskSizeGB": "[reference(resourceId('Microsoft.Compute/disks', 'example-md1-695'), '2022-03-02', 'Full').properties.diskSizeGB]",
                            "lun": 0,
                            "createOption": "Attach",
                            "deleteOption": "Delete",
                            "managedDisk": {
                                "id": "[resourceId('Microsoft.Compute/disks', 'example-md1-695')]"
                            }
                        }
                    ]
                },
                "networkProfile": {
                    "networkInterfaces": [
                        {
                            "id": "[resourceId('Microsoft.Network/networkInterfaces', 'example-nic1-695')]"
                        }
                    ]
                },
                "diagnosticsProfile": {
                    "bootDiagnostics": {
                        "enabled": false
                    }
                }
            }
        }       
    ]
}

ARM

Microsoft.Compute/virtualMachines

Terraform

azurerm_virtual_machine_data_disk_attachment