Control: 7.7 Ensure that VHD's are encrypted
Description
VHD (Virtual Hard Disks) are stored in BLOB storage and are the old style disks that were attached to Virtual Machines, and the BLOB VHD was then leased to the VM. By Default storage accounts are not encrypted, and Azure Defender(Security Centre) would then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK and this should be turned on for storage accounts containing VHD's.
Managed disks that are encrypted by default, we need to also have a recommendation that legacy disk that may for a number of reasons need to be left as VHD's should also be encrypted to protect the data content.
Remediation
From Console
- Navigate to the
storage account
that you need to encrypt. - Select the
encryption
option. - Select the
Encryption type
(Microsoft-managed or Customer-manages key) that you wish to use. - For
Customer-managed
, create or select a key from the key vault andSave
From Command Line
Create the Keyvault
az keyvault create --name "myKV" --resource-group "myResourceGroup" -- location eastus --enabled-for-disk-encryption
Encrypt the disk and store the key in keyvault
az vm encryption enable -g MyResourceGroup --name MyVM --disk-encryption- keyvault myKV
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v130_7_7
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v130_7_7 --share
SQL
This control uses a named query:
manual_control