Ensure that disk encryption monitoring is enabled within Microsoft Defender for Cloud settings in order to detect if your Azure virtual machines (Windows and Linux) have disk encryption enabled.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
By default, the OS and the data disks associated with a virtual machine are encrypted-at-rest using platform-managed keys. However, temp disks, data caches, and data flowing between compute and storage aren't encrypted. When working with production and business critical data it is highly recommended to implement encryption in order to protect all your data from unauthorized access and fulfill compliance requirements for data-at-rest encryption in your organization. Microsoft Defender for Cloud disk encryption monitoring identifies non-compliant virtual machines (VMs) and recommends enabling full disk encryption in order to enhance data protection.
Audit
To determine if disk encryption monitoring is enabled within the Microsoft Defender for Cloud security policy, perform the following operations:
Remediation / Resolution
To enable the disk encryption monitoring for Azure virtual machines within the Microsoft Defender for Cloud security policy, perform the following operations:
References
- Azure Official Documentation
- Microsoft Defender for Cloud documentation
- What is Microsoft Defender for Cloud?
- Azure Policy built-in policy definitions
- Manage security policies
- CIS Microsoft Azure Foundations
- Azure Command Line Interface (CLI) Documentation
- az
- az account get-access-token