Virtual machine OS or data disk is not encrypted with customer-managed key Affecting Compute service in Azure

Snyk CCSS

Data / Encryption at Rest

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Azure

Snyk ID SNYK-CC-00696
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

OS and data disks may contain sensitive data, and customer-managed keys provide users with more control than platform-managed keys.

How to fix?

Set the diskEncryptionSetId attribute in Microsoft.Compute/disks to the ID of a disk encryption set.

Example Configuration

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Compute/disks",
            "apiVersion": "2022-07-02",
            "name": "example-allowed",
            "location": "[resourceGroup().location]",
            "dependsOn": [
                "[resourceId('Microsoft.Compute/diskEncryptionSets', 'example-des-696')]",
                "[resourceId('Microsoft.KeyVault/vaults/accessPolicies', 'example-keyvault696', 'add')]"
            ],
            "sku": {
                "name": "Standard_LRS"
            },
            "properties": {
                "creationData": {
                    "createOption": "Empty"
                },
                "diskSizeGB": 1,
                "encryption": {
                    "diskEncryptionSetId": "[resourceId('Microsoft.Compute/diskEncryptionSets', 'example-des-696')]"
                }
            }
        }
    ]
}

Virtual machine OS or data disk is not encrypted with customer-managed key Affecting Compute service in Azure

Severity

Description

How to fix?

Example Configuration

ARM

Terraform

References