turbot/azure_compliance

Control: 7.2 Ensure that 'OS and Data' disks are encrypted with CMK

Description

Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK. By encrypting it ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. CMK is superior encryption although requires additional planning. You must have your key vault setup to encrypt.

Remediation

From Console

Disks must be detached from VMs to have encryption changed.

  1. Go to Virtual machines.
  2. For each virtual machine, go to Settings.
  3. Click on Disks.
  4. Click the X to detach the disk from the VM.
  5. Now search for Disks and locate the unattached disk.
  6. Click the disk then select Encryption
  7. Change your encryption type, then select your encryption set
  8. Click Save.
  9. Go back to the VM and re-attach the disk.

From PowerShell

$KVRGname = 'MyKeyVaultResourceGroup';
$VMRGName = 'MyVirtualMachineResourceGroup';
$vmName = 'MySecureVM';
$KeyVaultName = 'MySecureVault';
$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName
$KVRGname;
$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri; $KeyVaultResourceId = $KeyVault.ResourceId;
Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl - DiskEncryptionKeyVaultId $KeyVaultResourceId;

Note

  • During encryption it is likely that a reboot will be required, it may take up to 15 minutes to complete the process.
  • This may differ for Linux Machines as you may need to set the -skipVmBackup parameter.
  • By default, Azure disks are encrypted using SSE with PMK.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v130_7_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v130_7_2 --share

SQL

This control uses a named query:

compute_os_and_data_disk_encrypted_with_cmk

Tags