CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00697
- creditSnyk Research Team
Description
Virtual Machine unattached managed disks should be encrypted with Customer Managed Keys. Virtual Machine managed disks that are not attached to any VMs may still contain sensitive information, and users should use customer-managed keys for more control. Users can choose when to rotate their keys per compliance and security requirements, prevent managed disks from accessing keys to cause a VM to fail, and track key usage through Key Vault monitoring.
How to fix?
set properties.encryption.diskEncryptionSetId in "Microsoft.Compute/disks" to id of "Microsoft.Compute/diskEncryptionSets", set properties.encryptionSettingsCollection.enabled in "Microsoft.Compute/disks" to true.
Example Configuration
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/disks",
"apiVersion": "2022-07-02",
"name": "example-allowed1",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Compute/diskEncryptionSets', 'example-des-697')]",
"[resourceId('Microsoft.KeyVault/vaults/accessPolicies', 'example-keyvault697', 'add')]"
],
"sku": {
"name": "Standard_LRS"
},
"properties": {
"creationData": {
"createOption": "Empty"
},
"diskSizeGB": 1,
"encryption": {
"diskEncryptionSetId": "[resourceId('Microsoft.Compute/diskEncryptionSets', 'example-des-697')]"
}
}
},
{
"type": "Microsoft.Compute/disks",
"apiVersion": "2022-07-02",
"name": "example-allowed2",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', 'example-keyvault6972')]",
"[resourceId('Microsoft.KeyVault/vaults/secrets', 'example-keyvault6972', 'kvs697ex2')]"
],
"sku": {
"name": "Standard_LRS"
},
"properties": {
"creationData": {
"createOption": "Empty"
},
"diskSizeGB": 1,
"encryptionSettingsCollection": {
"enabled": "true",
"encryptionSettings": [
{
"diskEncryptionKey": {
"secretUrl": "[reference(resourceId('Microsoft.KeyVault/vaults/secrets', 'example-keyvault6972', 'kvs697ex2'), '2022-07-01', 'Full').properties.secretUriWithVersion]",
"sourceVault": {
"id": "[resourceId('Microsoft.KeyVault/vaults', 'example-keyvault6972')]"
}
}
}
]
}
}
}
]
}
Virtual Machine unattached managed disks should be encrypted with Customer Managed Keys.
Example Configuration
resource "azurerm_managed_disk" "allowed1" {
name = "example697md"
location = azurerm_resource_group.example697.location
resource_group_name = azurerm_resource_group.example697.name
storage_account_type = "Standard_LRS"
create_option = "Empty"
disk_size_gb = "1"
disk_encryption_set_id = azurerm_disk_encryption_set.example697.id
}
resource "azurerm_managed_disk" "allowed2" {
name = "acctestmdallowed697"
location = azurerm_resource_group.example697.location
resource_group_name = azurerm_resource_group.example697.name
storage_account_type = "Standard_LRS"
create_option = "Empty"
disk_size_gb = "1"
encryption_settings {
enabled = true
disk_encryption_key {
secret_url = azurerm_key_vault_secret.example6972.id
source_vault_id = azurerm_key_vault.example6972.id
}
}
}