Severity Framework
Snyk CCSS
Rule category
Data / Encryption at Rest
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-Azure
CIS-Controls
CSA-CCM
GDPR
HIPAA
ISO-27001
NIST-800-53
SOC-2
- Snyk ID SNYK-CC-00662
- credit Snyk Research Team
Description
Encrypting the virtual machine's disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads.
How to fix?
Set the disk_encryption_set_id attribute to a valid disk encryption set ID, and encryptionSettingsCollection to enabled.
Example Configuration
{
"type": "Microsoft.Compute/disks",
"apiVersion": "2022-07-02",
"name": "allowed",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS"
},
"properties": {
"creationData": {
"createOption": "Empty"
},
"dataAccessAuthMode": "AzureActiveDirectory",
"diskSizeGB": "128",
"encryption": {
"diskEncryptionSetId": "/subscriptions/<subscriptions id >/resourceGroups/<resourceGroups name>/providers/Microsoft.Compute/diskEncryptionSets/662-diskset",
"type": "EncryptionAtRestWithCustomerKey"
}
}
},
{
"type": "Microsoft.Compute/disks",
"apiVersion": "2022-07-02",
"name": "allowed_2",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS"
},
"properties": {
"creationData": {
"createOption": "Empty"
},
"dataAccessAuthMode": "AzureActiveDirectory",
"diskSizeGB": "128",
"encryptionSettingsCollection": {
"enabled": "true",
"encryptionSettings": [
{
"diskEncryptionKey": {
"secretUrl": "<KeyVault secretURL>",
"sourceVault": {
"id": "/subscriptions/<subscriptions id >/resourceGroups/<resourceGroups name>/providers/Microsoft.KeyVault/vaults/keyvault-662"
}
}
}
]
}
}
}