Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →

Plugins Docs Home

turbot/steampipe-mod-alicloud-compliance

Loading controls...

Control: 4.2 Ensure that 'Virtual Machine’s disk' are encrypted

Description

Ensure that disk are encrypted when it is created with the creation of VM instance.

Remediation

From Console

Encrypt a system disk when copying an image in the ECS console by following the below steps:

Logon to ECS Console.
In the left-side navigation pane, choose Instances & Images > Instances.
In the top navigation bar, select a region.
On the Images page, click the Custom Image tab.
Select the target image and click Copy Image in the Actions column.
In the Copy Image dialog box, check the Encrypt box and then select a key from the drop-down list.
Click OK.

You can encrypt a data disk when creating an instance by following the below steps:

Logon to ECS Console.
In the left-side navigation pane, choose Instances & Images > Instances.
On the Instances page, click Create Instance.
On the Basic Configurations page, find the Storage section and perform the following steps
- Click Add Disk.
- Specify the disk category and capacity of data disk.
- Select Disk Encryption and then select a key from the drop-down list.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v100_4_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v100_4_2 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when encrypted then 'ok'
    else 'alarm'
  end as status,
  case
    when encrypted then title || ' encryption enabled.'
    else title || ' encryption disabled.'
  end as reason
  
  , account_id as account_id, region as region
from
  alicloud_ecs_disk
where
  status = 'In_use';

Tags

category = Compliance

cis_item_id = 4.2

cis_section_id = 4

cis_type = manual

cis_version = v1.0.0

plugin = alicloud

service = AliCloud/ECS