Severity Framework
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Snyk CCSS
Rule category
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Data/ Encryption at Rest
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-Azure
- Snyk IDSNYK-CC-00696
- creditSnyk Research Team
Description
OS and data disks may contain sensitive data, and customer-managed keys provide users with more control than platform-managed keys.
How to fix?
Set the diskEncryptionSetId attribute in Microsoft.Compute/disks to the ID of a disk encryption set.
Example configuration:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/disks",
"apiVersion": "2022-07-02",
"name": "example-allowed",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Compute/diskEncryptionSets', 'example-des-696')]",
"[resourceId('Microsoft.KeyVault/vaults/accessPolicies', 'example-keyvault696', 'add')]"
],
"sku": {
"name": "Standard_LRS"
},
"properties": {
"creationData": {
"createOption": "Empty"
},
"diskSizeGB": 1,
"encryption": {
"diskEncryptionSetId": "[resourceId('Microsoft.Compute/diskEncryptionSets', 'example-des-696')]"
}
}
}
]
}
Set the disk_encryption_set_id attribute to the ID of a disk encryption set.
Example configuration:
resource "azurerm_managed_disk" "allowed" {
name = "md696"
resource_group_name = azurerm_resource_group.example696.name
location = azurerm_resource_group.example696.location
storage_account_type = "Standard_LRS"
create_option = "Empty"
disk_size_gb = "1"
disk_encryption_set_id = azurerm_disk_encryption_set.example696.id
depends_on = [
"azurerm_key_vault_access_policy.example696"
]
}