Severity : Medium
Description: Encrypting virtual machine disk volumes This control ensures that OS and Data disks volumes are encrypted with Customer Managed Key. Encrypting the VM's OS disk (boot volume), Data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. CMK is superior encryption although requires additional planning.Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.
Remediation Steps: Ensure that virtual machine disks are created using BYOK encryption:
Perform following to configure retention period for recovery point :
Login to Azure Portal using https://portal.azure.com.
Navigate to All resources.
Filter the resources for Virtual Machines, then select Virtual Machines.
Select the VMs reported.
Under Settings, Select Disks.
Click the X to detach the disk from the VM.
Look for the unattached disk.
Select the disk.
Set Encryption type with Encryption at-rest with Customer Managed Key.
Select appropriate Disk encryption set.
Select Save.
Go back to virtual machine and re-attach the disk.
Important:
To use own key customer must setup key vault to utilize it.
All services and process that could be writing to mounted data disks, must be stopped and disabled, So on reboot they don’t start writing. Other wise encryption process may fail.
Reference:
CIS Microsoft Azure Foundations Benchmark v1.3.0 - 02-01-2021 : Recommendation #7.2
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-overview
https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss
https://docs.microsoft.com/en-us/rest/api/compute/disks/delete
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-troubleshooting