🛡️ Azure Virtual Machine OS and Data disks are not encrypted with Customer-managed key🟢

• Contextual name: 🛡️ OS and Data disks are not encrypted with Customer-managed key🟢
• ID: /ce/ca/azure/virtual-machine/os-and-data-disks-encryption-with-cmk
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Virtual Disk
  • 🔌 Azure Managed Disk - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Server Side Encryption for Boot Disk using CMK
• Internal: dec-x-9cdb7407

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-9cdb7407	1

Description

Open File

Description

Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption (SSE).

Rationale

Encrypting the IaaS VM's OS disk (boot volume) and Data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key, thus protecting the volume from unwanted reads. PMK (Platform Managed Keys) are enabled by default in Azure-managed disks and allow encryption at rest. CMK is recommended because it gives the customer the option to control which specific keys are used for the encryption and decryption of the disk. The customer can then change keys and increase security by disabling them instead of relying on the PMK key that remains unchanging. There is also the option to increase security further by using automatically rotating keys so that access to disk is ensured to be limited. Organizations should evaluate what their security requirements are, however, for the data stored on the disk. For high-risk data using CMK is a must, as it provides extra steps of security. If the data is low risk, PMK is enabled by default and provides sufficient data security.

... see more

Remediation

Open File

Remediation

From Azure Portal

Note: Disks must be detached from VMs to have encryption changed.

1. Go to Virtual machines.
2. For each virtual machine, go to Settings.
3. Click on Disks.
4. Click the ellipsis (...), then click Detach to detach the disk from the VM.
5. Now search for Disks and locate the unattached disk.
6. Click the disk then select Encryption.
7. Change your encryption type, then select your encryption set.
8. Click Save.
9. Go back to the VM and re-attach the disk.

From PowerShell

$KVRGname = 'MyKeyVaultResourceGroup'; $VMRGName = 'MyVirtualMachineResourceGroup'; $vmName = 'MySecureVM'; $KeyVaultName = 'MySecureVault'; $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname; $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri; $KeyVaultResourceId = $KeyVault.ResourceId; Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;

NOTE: During encryption it is likely that a reboot will be required. It may take up to 15 minutes to complete the process.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 52c appropriate encryption, cleansing and auditing of devices;		9	9		no data
💼 APRA CPG 234 → 💼 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).		21	22		no data
💼 CIS Azure v1.3.0 → 💼 7.2 Ensure that 'OS and Data' disks are encrypted with CMK - Level 2 (Automated)		1	1		no data
💼 CIS Azure v1.4.0 → 💼 7.2 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) - Level 2 (Automated)		1	1		no data
💼 CIS Azure v1.5.0 → 💼 7.2 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) - Level 2 (Automated)		1	1		no data
💼 CIS Azure v2.0.0 → 💼 7.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) - Level 2 (Automated)		1	1		no data
💼 CIS Azure v2.1.0 → 💼 7.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) - Level 2 (Automated)		1	1		no data
💼 CIS Azure v3.0.0 → 💼 8.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) (Automated)			1		no data
💼 Cloudaware Framework → 💼 Data Encryption			44		no data
💼 FedRAMP High Security Controls → 💼 AC-4(4) Flow Control of Encrypted Information (H)		25	26		no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	24		no data
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1	7	24		no data
💼 FedRAMP High Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)		5	14		no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			24		no data
💼 FedRAMP Low Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		24		no data
💼 FedRAMP Low Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			14		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			24		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		24		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			14		no data
💼 ISO/IEC 27001:2013 → 💼 A.10.1.1 Policy on the use of cryptographic controls		18	19		no data
💼 ISO/IEC 27001:2022 → 💼 5.33 Protection of records		10	15		no data
💼 NIST CSF v1.1 → 💼 PR.DS-1: Data-at-rest is protected		15	30		no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	91		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			148		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			125		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			142		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(2) Information Flow Enforcement _ Processing Domains		30	32		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28(1) Protection of Information at Rest _ Cryptographic Protection		10	14		no data
💼 PCI DSS v3.2.1 → 💼 3.4.1 If disk encryption is used, logical access must be managed separately and independently of native operating system authentication and access control mechanisms.		7	12		no data
💼 PCI DSS v3.2.1 → 💼 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.	1	8	22		no data
💼 PCI DSS v4.0.1 → 💼 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.			13		no data
💼 PCI DSS v4.0.1 → 💼 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.			12		no data
💼 PCI DSS v4.0.1 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2		22		no data
💼 PCI DSS v4.0 → 💼 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.		8	13		no data
💼 PCI DSS v4.0 → 💼 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.			12		no data
💼 PCI DSS v4.0 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2	9	22		no data
💼 SOC 2 → 💼 CC6.1-10 Uses Encryption to Protect Data		6	11		no data