Control: Azure HDInsight clusters should use encryption at host to encrypt data at rest
Description
Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.hdinsight_cluster_encryption_at_host_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.hdinsight_cluster_encryption_at_host_enabled --shareSQL
This control uses a named query:
select a.id as resource, case when provisioning_state <> 'Succeeded' then 'skip' when disk_encryption_properties -> 'encryptionAtHost' = 'true' then 'ok' else 'alarm' end as status, case when provisioning_state <> 'Succeeded' then a.name || ' is in ' || provisioning_state || ' state.' when disk_encryption_properties -> 'encryptionAtHost' = 'true' then a.name || ' uses encryption at host to encrypt data at rest.' else a.name || ' not uses encryption at host to encrypt data at rest.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_hdinsight_cluster as a, azure_subscription as subwhere sub.subscription_id = a.subscription_id;