Azure VM data disk is not encrypted with ADE/CMK
Description
Azure encrypts data disks by default Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK]. It is recommended to use either SSE with Azure Disk Encryption [SSE with PMK+ADE] or Customer Managed Key [SSE with CMK] which improves on platform-managed keys by giving you control of the encryption keys to meet your compliance needs. Encryption does not impact the performance of managed disks and there is no additional cost for the encryption.
Code Example
{
"az vm encryption enable -g MyResourceGroup --name MyVM --disk-encryption-keyvault myKV
## You can verify that encryption is enabled on your VM with az vm show
az vm show --name MyVM -g MyResourceGroup
## You will see the following in the returned output:
"EncryptionOperation": "EnableEncryption"",
}Remediation
Azure Portal To change the policy using the Azure Portal, follow these steps:
. Log in to the Azure Portal at https://portal.azure.com.
. Select the Management tab and verify that you have a Diagnostics Storage Account. + If you have no storage accounts, select Create New, give your new account a name, then select OK.
. When the VM deployment is complete, select Go to resource.
. On the left-hand sidebar, select Disks. + On the Disks screen, select Encryption.
. On the *Create key vault **screen, ensure that the *Resource Group is the same as the one you used to create the VM.
. Name your key vault.
. On the Access Policies tab, check the Azure Disk Encryption for volume encryption.
. After the key vault has passed validation, select Create. + Leave the Key field blank, then click Select.
. At the top of the Encryption screen, click Save. + A popup will warn you that the VM will reboot. + Click Yes.
CLI Command
Encrypt your VM with az vm encryption, providing your unique Key Vault name to the --disk-encryption-keyvault parameter.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0513 |
| Severity | INFO |
| IaC Type | arm |
| Frameworks | ARM, Terraform, Bicep, TerraformPlan |
| Checkov ID | CKV_AZURE_2 |