lacework-global-636
Encrypt 'Unattached disks' with Customer Managed Key (CMK) (Automated)
Profile Applicability
• Level 2
Description
Encrypt unattached disks in a subscription with a Customer Managed Key (CMK).
Rationale
Managed disks are encrypted by default with Platform-managed keys. Using Customer-managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks, which may lead to sensitive information disclosure and tampering.
Impact
NOTE: You must have your key vault set up to utilize this. Encryption is available only on Standard tier VMs. This might cost you more.
Utilizing and maintaining Customer-managed keys will require additional work to create, protect, and rotate keys.
Audit
From Azure Console
- Go to
Disks
- Click on
Add Filter
- In the
filter
field selectDisk state
- In the
Value
field selectUnattached
- Click
Apply
- for each disk listed ensure that
Encryption type
in theencryption
blade is `Encryption at-rest with a customer-managed key'
From Azure Command Line Interface 2.0
Ensure command below does not return any output.
az disk list --query '[? diskstate == `Unattached`].{encryptionSettings: encryptionSettings, name: name}' -o json
Sample Output:
[
{
"encryptionSettings": null,
"name": "<Disk1>"
},
{
"encryptionSettings": null,
"name": "<Disk2>"
}
]
Remediation
If data stored in the disk is no longer useful, refer to Azure documentation to delete unattached data disks at:
- https://docs.microsoft.com/en-us/rest/api/compute/disks/delete
- https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete
If data stored in the disk is important, To encrypt the disk refer azure documentation at:
- https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal
- https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings
References
https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss
https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json
https://docs.microsoft.com/en-us/rest/api/compute/disks/delete
https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete
https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings
https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-5-encrypt-sensitive-data-at-rest