Control: 7.3 Ensure that 'Unattached disks' are encrypted with CMK
Description
Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). Managed disks are encrypted by default with Platform-managed keys. Using Customer- managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks which may lead to sensitive information disclosure and tampering.
Remediation
From Console
- Using the search feature, go to
Disks. - Select the unattached
diskyou would like to encrypt. - From
Settingssection, selectEncryption. - For the
Encryption type, selectEncryption at-rest with a customer-managed key. - Select
Disk encryption setand clickSave.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v130_7_3Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v130_7_3 --shareSQL
This control uses a named query:
select disk.id as resource, case when encryption_type = 'EncryptionAtRestWithCustomerKey' then 'ok' else 'alarm' end as status, case when encryption_type = 'EncryptionAtRestWithCustomerKey' then disk.name || ' encrypted with CMK.' else disk.name || ' not encrypted with CMK.' end as reason , disk.resource_group as resource_group , sub.display_name as subscriptionfrom azure_compute_disk disk, azure_subscription subwhere disk_state != 'Attached' and sub.subscription_id = disk.subscription_id;