🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
13Dashboards
1311Benchmarks
430Queries
2Variables
GitHub

Control: Unattached Compute disks should be encrypted with ADE/CMK

Description

This policy identifies the disks which are unattached and are encrypted with default encryption instead of ADE/CMK. Azure encrypts disks by default Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK]. It is recommended to use either SSE with Azure Disk Encryption [SSE with PMK+ADE] or Customer Managed Key [SSE with CMK] which improves on platform-managed keys by giving you control of the encryption keys to meet your compliance need.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.compute_disk_unattached_encrypted_with_cmk

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.compute_disk_unattached_encrypted_with_cmk --share

SQL

This control uses a named query:

select
  disk.id as resource,
  case
    when managed_by is not null
    or managed_by != ''
    or encryption_type = 'EncryptionAtRestWithCustomerKey'
    or encryption_type = 'EncryptionAtRestWithPlatformAndCustomerKeys'
    then 'ok'
    else 'alarm'
  end as status,
  case
    when managed_by is not null
    or managed_by != ''
    or encryption_type = 'EncryptionAtRestWithCustomerKey'
    or encryption_type = 'EncryptionAtRestWithPlatformAndCustomerKeys'
    then disk.name || ' attached and encrypted with ADE/CMK.'
    else disk.name || ' unattached and encrypted with default encryption key.'
  end as reason
  
  , disk.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_compute_disk disk,
  azure_subscription sub
where
  disk_state != 'Attached'
  and sub.subscription_id = disk.subscription_id;

Tags

service = Azure/Compute