Cyscale
Back to controls

Ensure that 'Unattached disks' are encrypted with Customer Managed Keys (CMK)

Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).

Category

Controls

Medium

Applies to

Microsoft Azure

Coverage

1 queries

Asset types

1 covered

Overview

Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).

Rationale

Managed disks are encrypted by default with Platform-managed keys. Using Customer-managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks which may lead to sensitive information disclosure and tampering.

Impact

Having a key vault set up to utilize this is needed. Encryption is available only on Standard tier VMs. This might increase costs.

Utilizing and maintaining Customer-managed keys will require additional work to create, protect, and rotate keys.

Default Value

By default, managed disks are encrypted with a Platform-managed key.

References

  1. https://learn.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss
  2. https://learn.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json
  3. https://learn.microsoft.com/en-us/rest/api/compute/disks/delete
  4. https://learn.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete
  5. https://learn.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings
  6. https://learn.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update
  7. https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-5-encrypt-sensitive-data-at-rest

Remediation guidance

From Azure Console

  1. Go to Disks
  2. Click on Add filter
  3. For Filter name select Disk state, for Operator select Equals, and for Value only select Unattached
  4. Select Apply
  5. For every disk, go to Encryption under Settings
  6. For Key management, select the customer-managed key you want to use
  7. Select Save

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Azure

Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.

Operational rollout

  1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
  2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
  3. Re-scan and track approved exceptions with an owner and expiry date.

Query logic

These are the stored checks tied to this control.

'Unattached disks' are encrypted with CMK

Connectors

Microsoft Azure

Covered asset types

Disk

Expected check: eq []

{disks(where:{diskState_MATCHES:"(?i)unattached",encryptionKey:null}){...AssetFragment}}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon