Virtual Machine unattached managed disks should be encrypted with Customer Managed Keys Affecting Storage service in Azure


Severity

0.0
medium
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    Data / Encryption at Rest

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    CIS-Azure
  • Snyk ID SNYK-CC-00697
  • credit Snyk Research Team

Description

Virtual Machine unattached managed disks should be encrypted with Customer Managed Keys. Virtual Machine managed disks that are not attached to any VMs may still contain sensitive information, and users should use customer-managed keys for more control. Users can choose when to rotate their keys per compliance and security requirements, prevent managed disks from accessing keys to cause a VM to fail, and track key usage through Key Vault monitoring.

How to fix?

set properties.encryption.diskEncryptionSetId in "Microsoft.Compute/disks" to id of "Microsoft.Compute/diskEncryptionSets", set properties.encryptionSettingsCollection.enabled in "Microsoft.Compute/disks" to true.

Example Configuration

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Compute/disks",
            "apiVersion": "2022-07-02",
            "name": "example-allowed1",
            "location": "[resourceGroup().location]",
            "dependsOn": [
                "[resourceId('Microsoft.Compute/diskEncryptionSets', 'example-des-697')]",
                "[resourceId('Microsoft.KeyVault/vaults/accessPolicies', 'example-keyvault697', 'add')]"
            ],
            "sku": {
                "name": "Standard_LRS"
            },
            "properties": {
                "creationData": {
                    "createOption": "Empty"
                },
                "diskSizeGB": 1,
                "encryption": {
                    "diskEncryptionSetId": "[resourceId('Microsoft.Compute/diskEncryptionSets', 'example-des-697')]"
                }
            }
        },
        {
            "type": "Microsoft.Compute/disks",
            "apiVersion": "2022-07-02",
            "name": "example-allowed2",
            "location": "[resourceGroup().location]",
            "dependsOn": [
                "[resourceId('Microsoft.KeyVault/vaults', 'example-keyvault6972')]",
                "[resourceId('Microsoft.KeyVault/vaults/secrets', 'example-keyvault6972', 'kvs697ex2')]"
            ],
            "sku": {
                "name": "Standard_LRS"
            },
            "properties": {
                "creationData": {
                    "createOption": "Empty"
                },
                "diskSizeGB": 1,
                "encryptionSettingsCollection": {
                    "enabled": "true",
                    "encryptionSettings": [
                        {
                            "diskEncryptionKey": {
                                "secretUrl": "[reference(resourceId('Microsoft.KeyVault/vaults/secrets', 'example-keyvault6972', 'kvs697ex2'), '2022-07-01', 'Full').properties.secretUriWithVersion]",
                                "sourceVault": {
                                    "id": "[resourceId('Microsoft.KeyVault/vaults', 'example-keyvault6972')]"
                                }
                            }
                        }
                    ]
                }
            }
        }  
    ]
}