Skip to main content

πŸ“ Unattached Azure Managed Disk is not encrypted with Customer-managed key 🟒

  • Contextual name: πŸ“ Unattached Managed Disk is not encrypted with Customer-managed key 🟒
  • ID: /ce/ca/azure/virtual-machine/unattached-disk-encryption-with-cmk
  • Located in: πŸ“ Azure Virtual Machines

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-f63fd4f01

Logic​

Description​

Open File

Description​

Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).

Rationale​

Managed disks are encrypted by default with Platform-managed keys. Using Customer-managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks, which may lead to sensitive information disclosure and tampering.

Impact​

NOTE: You must have your key vault set up to utilize this. Encryption is available only on Standard tier VMs. This might cost you more.

Utilizing and maintaining Customer-managed keys will require additional work to create, protect, and rotate keys.

Audit​

From Azure Portal​
  1. Go to Disks.
  2. Click on Add Filter.

... see more

Remediation​

Open File

Remediation​

If data stored in the disk is no longer useful, refer to Azure documentation to delete unattached data disks at:

If data stored in the disk is important, To encrypt the disk refer azure documentation at:

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 52c appropriate encryption, cleansing and auditing of devices;99
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).1718
πŸ’Ό CIS Azure v1.1.0 β†’ πŸ’Ό 7.3 Ensure that 'Unattached disks' are encrypted11
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 7.3 Ensure that 'Unattached disks' are encrypted with CMK - Level 2 (Automated)11
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 7.3 Ensure that 'Unattached disks' are encrypted with CMK - Level 2 (Automated)11
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 7.3 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) - Level 2 (Automated)11
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 7.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) - Level 2 (Automated)11
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 7.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) - Level 2 (Automated)11
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 8.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption31
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(4) Flow Control of Encrypted Information (H)2021
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1316
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1717
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)512
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)16
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)117
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)12
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)16
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)117
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)12
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.1 Policy on the use of cryptographic controls1415
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.33 Protection of records1010
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-1: Data-at-rest is protected1519
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4351
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected82
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected69
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected67
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains2527
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1012
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 3.4.1 If disk encryption is used, logical access must be managed separately and independently of native operating system authentication and access control mechanisms.77
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.7
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.7