Ensure that 'OS and Data' disks are encrypted with Customer Managed Keys (CMK)

Overview

Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed Keys can be used with either ADE (Azure Disk Encryption) or SSE (Server Side Encryption).

Rationale

Encrypting the IaaS VM's OS disk (boot volume) and Data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key, thus protecting the volume from unwanted reads. PMK (Platform Managed Keys) are enabled by default in Azure-managed disks and allow encryption at rest. CMK is recommended because it gives the customer the option to control which specific keys are used for the encryption and decryption of the disk. The customer can then change keys and increase security by disabling them instead of relying on the PMK key that remains unchanging. There is also the option to increase security further by using automatically rotating keys so that access to disk is ensured to be limited. Organizations should evaluate what their security requirements are, however, for the data stored on the disk. For high-risk data, using CMK is a must, as it provides extra steps of security. If the data is low risk, PMK is enabled by default and provides sufficient data security.

**Impact: **

Using CMK/BYOK will entail additional management of keys.

NOTE You must have your key vault setup to utilize this.

Remediation guidance

From Azure Console

Note Disks must be detached from VMs to have encryption changed.

Go to Virtual machines
For each virtual machine, go to Settings
Click on Disks
Click the ellipsis (...), then click Detach to detach the disk from the VM
Now search for Disks and locate the unattached disk
Click the disk then select Encryption
Change your encryption type, then select your encryption set
Click Save
Go back to the VM and re-attach the disk

Using PowerShell

$KVRGname = 'MyKeyVaultResourceGroup'; 
$VMRGName = 'MyVirtualMachineResourceGroup'; 
$vmName = 'MySecureVM'; 
$KeyVaultName = 'MySecureVault'; 
$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname; 
$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri; 
$KeyVaultResourceId = $KeyVault.ResourceId; 

Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;

NOTE During encryption it is likely that a reboot will be required, it may take up to 15 minutes to complete the process.

NOTE 2 This may differ for Linux Machines as you may need to set the -skipVmBackup parameter

Default Value

By default, Azure disks are encrypted using SSE with PMK.

References

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Azure

Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.

Operational rollout

Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
Re-scan and track approved exceptions with an owner and expiry date.

Query logic

These are the stored checks tied to this control.

'OS and Data' disks are encrypted with CMK

Connectors

Microsoft Azure

Covered asset types

Expected check: eq []

{vms(where:{diskAttachments_SOME:{disk:{,encryptionKey:null}}}){...AssetFragment}}

Ensure that 'OS and Data' disks are encrypted with Customer Managed Keys (CMK)

Overview

Remediation guidance

Service-wide remediation

Azure

Operational rollout

Query logic

Platform

Use Cases

Industries

Compare

Resources

Company