
Control: 4.2 Ensure that 'Virtual Machine’s disk' are encrypted


Ensure that disk are encrypted when it is created with the creation of VM instance.


From Console

Encrypt a system disk when copying an image in the ECS console by following the below steps:

  1. Logon to ECS Console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. On the Images page, click the Custom Image tab.
  5. Select the target image and click Copy Image in the Actions column.
  6. In the Copy Image dialog box, check the Encrypt box and then select a key from the drop-down list.
  7. Click OK.

You can encrypt a data disk when creating an instance by following the below steps:

  1. Logon to ECS Console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. On the Instances page, click Create Instance.
  4. On the Basic Configurations page, find the Storage section and perform the following steps
    • Click Add Disk.
    • Specify the disk category and capacity of data disk.
    • Select Disk Encryption and then select a key from the drop-down list.


Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v100_4_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v100_4_2 --share


This control uses a named query:

arn as resource,
when encrypted then 'ok'
else 'alarm'
end as status,
when encrypted then title || ' encryption enabled.'
else title || ' encryption disabled.'
end as reason
, account_id as account_id, region as region
status = 'In_use';
