CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00662
- creditSnyk Research Team
Description
Encrypting the virtual machine's disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads.
How to fix?
Set the disk_encryption_set_id attribute to a valid disk encryption set ID, and encryptionSettingsCollection to enabled.
Example configuration:
{
"type": "Microsoft.Compute/disks",
"apiVersion": "2022-07-02",
"name": "allowed",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS"
},
"properties": {
"creationData": {
"createOption": "Empty"
},
"dataAccessAuthMode": "AzureActiveDirectory",
"diskSizeGB": "128",
"encryption": {
"diskEncryptionSetId": "/subscriptions/<subscriptions id >/resourceGroups/<resourceGroups name>/providers/Microsoft.Compute/diskEncryptionSets/662-diskset",
"type": "EncryptionAtRestWithCustomerKey"
}
}
},
{
"type": "Microsoft.Compute/disks",
"apiVersion": "2022-07-02",
"name": "allowed_2",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS"
},
"properties": {
"creationData": {
"createOption": "Empty"
},
"dataAccessAuthMode": "AzureActiveDirectory",
"diskSizeGB": "128",
"encryptionSettingsCollection": {
"enabled": "true",
"encryptionSettings": [
{
"diskEncryptionKey": {
"secretUrl": "<KeyVault secretURL>",
"sourceVault": {
"id": "/subscriptions/<subscriptions id >/resourceGroups/<resourceGroups name>/providers/Microsoft.KeyVault/vaults/keyvault-662"
}
}
}
]
}
}
}
Set the disk_encryption_set_id attribute to a valid disk encryption set ID.
For Azure provider versions <= 3.25.0, set the encryption_settings.enabled attribute to true.
Example configuration:
resource "azurerm_managed_disk" "allowed" {
name = "acctestmdexkv662662"
location = azurerm_resource_group.example662.location
resource_group_name = azurerm_resource_group.example662.name
storage_account_type = "Standard_LRS"
create_option = "Empty"
disk_size_gb = "1"
disk_encryption_set_id = azurerm_disk_encryption_set.example662.id
}
# Azure provider versions <= 3.25.0
resource "azurerm_managed_disk" "allowed2" {
name = "acctestmdallowed662"
location = azurerm_resource_group.example662.location
resource_group_name = azurerm_resource_group.example662.name
storage_account_type = "Standard_LRS"
create_option = "Empty"
disk_size_gb = "1"
encryption_settings {
enabled = true
disk_encryption_key {
secret_url = azurerm_key_vault_secret.example662.id
source_vault_id = azurerm_key_vault.example662.id
}
}
}