turbot/steampipe-mod-azure-compliance

Control: Virtual machines and virtual machine scale sets should have encryption at host enabled

Description

Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.compute_vm_and_sacle_set_encryption_at_host_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.compute_vm_and_sacle_set_encryption_at_host_enabled --share

SQL

This control uses a named query:

(
select
a.id as resource,
case
when security_profile -> 'encryptionAtHost' = 'true' then 'ok'
else 'alarm'
end as status,
case
when security_profile -> 'encryptionAtHost' = 'true' then a.name || ' encryption at host enabled.'
else a.name || ' encryption at host disabled.'
end as reason
, a.resource_group as resource_group
, sub.display_name as subscription
from
azure_compute_virtual_machine as a,
azure_subscription as sub
where
sub.subscription_id = a.subscription_id
)
union
(
select
a.id as resource,
case
when virtual_machine_security_profile -> 'encryptionAtHost' = 'true' then 'ok'
else 'alarm'
end as status,
case
when virtual_machine_security_profile -> 'encryptionAtHost' = 'true' then a.name || ' encryption at host enabled.'
else a.name || ' encryption at host disabled.'
end as reason
, a.resource_group as resource_group
, sub.display_name as subscription
from
azure_compute_virtual_machine_scale_set as a,
azure_subscription as sub
where
sub.subscription_id = a.subscription_id
)

Tags