Unattached Disks Are Not Encrypted With Customer Managed Key

Overview

Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).

Managed disks are encrypted by default with Platform-managed keys. Using Customer- managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks, which may lead to sensitive information disclosure and tampering.

NOTE: You must have your key vault set up to utilize this. Encryption is available only on Standard tier VMs. This might cost you more. Utilizing and maintaining Customer-managed keys will require additional work to create, protect, and rotate keys.

Vendor

Azure

Cloud Service

Compute

CIS Azure v2.0.0 7.4

References

https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss, https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json, https://docs.microsoft.com/en-us/rest/api/compute/disks/delete, https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete, https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings, https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update, https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-5-encrypt-sensitive-data-at-rest

Severity

Item Types

Microsoft.Compute.Disks

Overview​

Vendor​

Cloud Service​

Related Controls​

References​

Severity​

Item Types​