Azure Managed Disk Without Encryption

  • Query id: 350f3955-b5be-436f-afaa-3d2be2fa6cdd
  • Query name: Azure Managed Disk Without Encryption
  • Platform: AzureResourceManager
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

Azure Disk Encryption should be enabled
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "projectName": {
      "type": "string",
      "metadata": {
        "description": "Specifies a name for generating resource names."
      }
    }
  },
  "variables": {
    "vmName": "[concat(parameters('projectName'), '-vm')]"
  },
  "resources": [
    {
      "type": "Microsoft.Compute/disks",
      "apiVersion": "2020-09-30",
      "name": "[concat(variables('vmName'),'-disk1')]",
      "location": "[resourceGroup().location]",
      "sku": {
        "name": "Standard_LRS"
      },
      "properties": {
        "creationData": {
          "createOption": "Empty"
        },
        "diskSizeGB": 512,
        "encryptionSettingsCollection": {
          "enabled": false,
          "encryptionSettings": [
            {
              "diskEncryptionKey": {
                "secretUrl": "https://secret.com/secrets/secret",
                "sourceVault": {
                  "id": "/someid/somekey"
                }
              }
            }
          ]
        }
      }
    }
  ]
}
Positive test num. 2 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "projectName": {
      "type": "string",
      "metadata": {
        "description": "Specifies a name for generating resource names."
      }
    }
  },
  "variables": {
    "vmName": "[concat(parameters('projectName'), '-vm')]"
  },
  "resources": [
    {
      "type": "Microsoft.Compute/disks",
      "apiVersion": "2020-09-30",
      "name": "[concat(variables('vmName'),'-disk1')]",
      "location": "[resourceGroup().location]",
      "sku": {
        "name": "Standard_LRS"
      },
      "properties": {
        "creationData": {
          "createOption": "Empty"
        },
        "diskSizeGB": 512
      }
    }
  ]
}
Positive test num. 3 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "projectName": {
          "type": "string",
          "metadata": {
            "description": "Specifies a name for generating resource names."
          }
        }
      },
      "variables": {
        "vmName": "[concat(parameters('projectName'), '-vm')]"
      },
      "resources": [
        {
          "type": "Microsoft.Compute/disks",
          "apiVersion": "2020-09-30",
          "name": "[concat(variables('vmName'),'-disk1')]",
          "location": "[resourceGroup().location]",
          "sku": {
            "name": "Standard_LRS"
          },
          "properties": {
            "creationData": {
              "createOption": "Empty"
            },
            "diskSizeGB": 512,
            "encryptionSettingsCollection": {
              "enabled": false,
              "encryptionSettings": [
                {
                  "diskEncryptionKey": {
                    "secretUrl": "https://secret.com/secrets/secret",
                    "sourceVault": {
                      "id": "/someid/somekey"
                    }
                  }
                }
              ]
            }
          }
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}

Positive test num. 4 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "projectName": {
          "type": "string",
          "metadata": {
            "description": "Specifies a name for generating resource names."
          }
        }
      },
      "variables": {
        "vmName": "[concat(parameters('projectName'), '-vm')]"
      },
      "resources": [
        {
          "type": "Microsoft.Compute/disks",
          "apiVersion": "2020-09-30",
          "name": "[concat(variables('vmName'),'-disk1')]",
          "location": "[resourceGroup().location]",
          "sku": {
            "name": "Standard_LRS"
          },
          "properties": {
            "creationData": {
              "createOption": "Empty"
            },
            "diskSizeGB": 512
          }
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}

Code samples without security vulnerabilities

Negative test num. 1 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "projectName": {
      "type": "string",
      "metadata": {
        "description": "Specifies a name for generating resource names."
      }
    }
  },
  "variables": {
    "vmName": "[concat(parameters('projectName'), '-vm')]"
  },
  "resources": [
    {
      "type": "Microsoft.Compute/disks",
      "apiVersion": "2020-09-30",
      "name": "[concat(variables('vmName'),'-disk1')]",
      "location": "[resourceGroup().location]",
      "sku": {
        "name": "Standard_LRS"
      },
      "properties": {
        "creationData": {
          "createOption": "Empty"
        },
        "diskSizeGB": 512,
        "encryptionSettingsCollection": {
          "enabled": true,
          "encryptionSettings": [
            {
              "diskEncryptionKey": {
                "secretUrl": "https://secret.com/secrets/secret",
                "sourceVault": {
                  "id": "/someid/somekey"
                }
              }
            }
          ]
        }
      }
    }
  ]
}
Negative test num. 2 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "projectName": {
          "type": "string",
          "metadata": {
            "description": "Specifies a name for generating resource names."
          }
        }
      },
      "variables": {
        "vmName": "[concat(parameters('projectName'), '-vm')]"
      },
      "resources": [
        {
          "type": "Microsoft.Compute/disks",
          "apiVersion": "2020-09-30",
          "name": "[concat(variables('vmName'),'-disk1')]",
          "location": "[resourceGroup().location]",
          "sku": {
            "name": "Standard_LRS"
          },
          "properties": {
            "creationData": {
              "createOption": "Empty"
            },
            "diskSizeGB": 512,
            "encryptionSettingsCollection": {
              "enabled": true,
              "encryptionSettings": [
                {
                  "diskEncryptionKey": {
                    "secretUrl": "https://secret.com/secrets/secret",
                    "sourceVault": {
                      "id": "/someid/somekey"
                    }
                  }
                }
              ]
            }
          }
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}