Azure Virtual Machines does not utilise Managed Disks
Description
Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include
. Default Disk Encryption
. Resilience as Microsoft will managed the disk storage and move around if underlying hardware goes faulty
. Reduction of costs over storage accounts + Managed disks are by default encrypted on the underlying hardware so no additional encryption is required for basic protection, it is available if additional encryption is required. + Managed disks are by design more resilient that storage accounts. + For ARM deployed Virtual Machines, Azure Adviser will at some point recommend moving VHD's to managed disks both from a security and cost management perspective.
Code Example
go
{
"resource "azurerm_virtual_machine" "virtual_machine_good" {
name = "my-vm"
location = "location"
resource_group_name = "group_name"
network_interface_ids = ["1234567"]
vm_size = "Standard_DS1_v2"
storage_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "16.04-LTS"
version = "latest"
}
storage_os_disk {
name = "myosdisk1"
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}
os_profile {
computer_name = "hostname"
admin_username = "testadmin"
admin_password = "Password1234!"
}
os_profile_linux_config {
disable_password_authentication = false
}
tags = {
environment = "staging"
}
}
",
}Remediation
Terraform
- Resource: azurerm_virtual_machine
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0767 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AZURE_9 |