Profile Applicability:
- Level 2
Description:
This check ensures that any unattached disks in your Azure environment are encrypted with a Customer Managed Key (CMK). Unattached disks are disks that are not currently attached to a virtual machine but still exist in your environment. Encrypting these disks with CMK ensures that they are secured and compliant with your organization’s security and regulatory standards.
Rationale:
Unattached disks can still contain sensitive data, and if not properly encrypted, this data may be at risk of exposure. By ensuring that unattached disks are encrypted with a Customer Managed Key, you ensure that the data stored on these disks is protected, even when the disks are not attached to an active VM. Using CMK for encryption allows the organization to control key access, rotation, and compliance with security policies.
Impact:
Pros:
Ensures that sensitive data stored on unattached disks is encrypted and protected, reducing the risk of unauthorized access.
Provides better control over encryption keys through Azure Key Vault.
Meets compliance requirements for encrypting all data at rest.
Cons:
Requires configuration and management of Customer Managed Keys (CMK), including access policies in Azure Key Vault.
Additional cost for managing CMK, depending on the size of the disks and number of disks.
May require some operational overhead to ensure proper encryption settings and access controls.
Default Value:
By default, Azure uses Platform Managed Keys (PMK) for unattached disks. CMK must be explicitly configured for unattached disks.
Pre-requisites:
Ensure that you have an Azure Key Vault set up and that appropriate access policies are configured to allow the encryption of unattached disks with the Customer Managed Key.
Ensure that unattached disks are properly identified in your environment and have the correct encryption settings applied.
Test Plan:
Using Azure Console:
Log in to the Azure portal at https://portal.azure.com.
Go to the Disks blade.
Verify the list of unattached disks and check their Encryption settings.
Ensure that the disks are configured with Customer Managed Key (CMK) rather than Platform Managed Key (PMK).
If disks are not encrypted with CMK, take note and proceed with the necessary configuration.
Using Azure CLI:
To list unattached disks and check their encryption status, run the following command:
az disk list --query "[?managedBy==null].{name:name, encryption:encryption}"Ensure that the encryption field for unattached disks indicates Customer Managed Key (CMK).
Implementation Plan:
Using Azure Console:
Log in to the Azure portal at https://portal.azure.com.
Go to the Disks blade.
For each unattached disk, select the disk and go to the Encryption section.
Change the encryption option to Customer Managed Key (CMK).
Select the appropriate Key Vault and Encryption Key.
Click Save to apply the changes and ensure the disk is encrypted with CMK.
Using Azure CLI:
To enable CMK-based encryption for an unattached disk, run the following command:
az disk encryption set --resource-group <RESOURCE_GROUP_NAME> --name <DISK_NAME> --encryption-type EncryptionWithCustomerKey --keyvault <KEYVAULT_NAME> --key <KEY_NAME>
Ensure the disk is now encrypted using CMK by checking the encryption status again:
az disk show --resource-group <RESOURCE_GROUP_NAME> --name <DISK_NAME> --query "encryption"
Backout Plan:
Using Azure Console:
Log in to the Azure portal at https://portal.azure.com.
Go to the Disks blade.
Select the disk that is encrypted with CMK.
Change the Encryption setting to Platform Managed Key (PMK).
Click Save to apply the changes.
Using Azure CLI:
To revert the encryption to Platform Managed Key (PMK), run the following command:
az disk encryption set --resource-group <RESOURCE_GROUP_NAME> --name <DISK_NAME> --encryption-type EncryptionWithPlatformKey