v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/azure_compliance
Overview
13Dashboards
1311Controls
430Queries
2Variables
GitHub

Control: 7.7 Ensure that VHD's are encrypted

Description

VHD (Virtual Hard Disks) are stored in BLOB storage and are the old style disks that were attached to Virtual Machines, and the BLOB VHD was then leased to the VM. By Default storage accounts are not encrypted, and Azure Defender(Security Centre) would then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK and this should be turned on for storage accounts containing VHD's.

Managed disks that are encrypted by default, we need to also have a recommendation that legacy disk that may for a number of reasons need to be left as VHD's should also be encrypted to protect the data content.

Remediation

From Console

  1. Navigate to the storage account that you need to encrypt.
  2. Select the encryption option.
  3. Select the Encryption type (Microsoft-managed or Customer-manages key) that you wish to use.
  4. For Customer-managed, create or select a key from the key vault and Save

From Command Line

Create the Keyvault

az keyvault create --name "myKV" --resource-group "myResourceGroup" -- location eastus --enabled-for-disk-encryption

Encrypt the disk and store the key in keyvault

az vm encryption enable -g MyResourceGroup --name MyVM --disk-encryption- keyvault myKV

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v140_7_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v140_7_7 --share

SQL

This control uses a named query:

manual_control

Tags

category = Compliance
cis = true
cis_item_id = 7.7
cis_level = 2
cis_section_id = 7
cis_type = manual
cis_version = v1.4.0
plugin = azure
service = Azure/Compute