Windows VM scale set encryption at host is disabled Affecting Compute service in Azure

Snyk CCSS

Data/ Encryption at Rest

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-ControlsCSA-CCM

Snyk IDSNYK-CC-00510
creditSnyk Research Team

Report a new misconfiguration Found a mistake?

Description

Storage devices attached to the VM will not be encrypted at rest.

How to fix?

Set properties.securityProfile.encryptionAtHost attribute to true.

Set encryption_at_host_enabled attribute to true.

Example Configuration

resource "azurerm_windows_virtual_machine_scale_set" "allowed" {
  name                       = "vmss-510v"
  resource_group_name        = azurerm_resource_group.example510.name
  location                   = azurerm_resource_group.example510.location
  sku                        = "Standard_DS2_v2"
  instances                  = 1
  admin_password             = "P@55w0rd1234!"
  admin_username             = "adminuser"
  encryption_at_host_enabled = true

  os_disk {
    storage_account_type = "Standard_LRS"
    caching              = "ReadWrite"
  }

  source_image_reference {
    publisher = "MicrosoftWindowsServer"
    offer     = "WindowsServer"
    sku       = "2016-Datacenter"
    version   = "latest"
  }

  network_interface {
    name    = "example"
    primary = true

    ip_configuration {
      name      = "internal"
      primary   = true
      subnet_id = azurerm_subnet.internal.id
    }
  }
}

Terraform

Resource: azurerm_windows_virtual_machine_scale_set

References

Use the Azure CLI to enable end-to-end encryption using encryption at host