Ensure that your detached Microsoft Azure virtual machine (VM) disk volumes are encrypted using Azure Disk Encryption in order to meet security and compliance requirements. ADE encrypts the OS and data disks of Azure virtual machines (VMs) inside your VMs using the CPU via the DM-Crypt feature for Linux or the BitLocker feature for Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. The unattached disk volumes encryption and decryption is handled transparently and does not require any additional action from you, your Azure virtual machine, or your application.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. It uses the DM-Crypt feature of Linux and the BitLocker feature of Windows to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. When your cloud applications work with sensitive data such as PII (Personally Identifiable Information), it is strongly recommended to enable encryption to protect this data from unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization. By encrypting disk volumes detached from your Microsoft Azure virtual machines, you have the assurance that your data is unrecoverable without an encryption key and thus provides protection from unwarranted reads. Even if the disk volumes are not attached to any of the VMs provisioned within your Azure cloud account, there is always a risk where a compromised user account with administrative privileges can mount/attach these unencrypted disks, and this action can lead to sensitive information disclosure and/or data leakage.
Audit
To determine if encryption at rest is enabled for your unattached VM disk volumes, perform the following actions:
Note 1: Azure Disk Encryption encrypts the disk volume itself. This is distinct from Server-Side Encryption (also referred to as encryption-at-rest or Azure Storage encryption), which encrypts the data stored on the disk.Note 2: Getting the Azure Disk Encryption status for the detached Azure VM disk volumes using Microsoft Azure Management Console (Azure Portal) is not currently supported.
Remediation / Resolution
To enable encryption for your unattached Microsoft Azure VM disk volumes, perform the following actions:
Note: Enabling encryption at rest for detached Azure VM disk volumes using Microsoft Azure Management Console (Azure Portal) is not currently supported.References
- Azure Official Documentation
- Azure Disk Encryption for Linux VMs
- Azure Disk Encryption for Windows VMs
- Azure Disk Encryption for virtual machines and virtual machine scale sets
- CIS Microsoft Azure Foundations
- Azure Command Line Interface (CLI) Documentation
- Quickstart: Create and encrypt a Linux VM with the Azure CLI
- Quickstart: Create and encrypt a Windows VM with the Azure CLI
- az disk
- az disk list
- az disk show
- az disk update
- az keyvault
- az keyvault create