Pipeline: 8.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
Description
Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK).
Managed disks are encrypted by default with Platform-managed keys. Using Customer-managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks, which may lead to sensitive information disclosure and tampering.
Remediation
If data stored in the disk is no longer useful, refer to Azure documentation to delete unattached data disks at:
- https://docs.microsoft.com/en-us/rest/api/compute/disks/delete- https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete
If data stored in the disk is important, to encrypt the disk refer to azure documentation at:
- https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal- https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings
Default Value
By default, managed disks are encrypted with a Platform-managed key.
Run the pipeline
To run this pipeline from your terminal:
flowpipe pipeline run azure_cis.pipeline.cis_v300_8_4
Use this pipeline
To call this pipeline from your pipeline, use a step:
step "pipeline" "step_name" { pipeline = azure_cis.pipeline.cis_v300_8_4 }
Params
Name | Type | Required | Description | Default |
---|---|---|---|---|
database | connection.steampipe | Yes | Database connection string. | connection.steampipe.default |
notifier | notifier | Yes | The name of the notifier to use for sending notification messages. | notifier.default |
notification_level | string | Yes | The verbosity level of notification messages to send. Valid options are 'verbose', 'info', 'error'. | info |
Outputs
This pipeline has no outputs.