Beta - VM Without Encryption At Host
- Query id: 30c7c2f1-c048-49ba-81a4-ae465bbb3335
- Query name: Beta - VM Without Encryption At Host
- Platform: Terraform
- Severity: Low
- Category: Encryption
- CWE: 326
- Risk score: 1.0
- URL: Github
Description¶
VM resources should enable encryption at host for improved data security
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_linux_virtual_machine" "positive1_1" {
name = "positive1_1-machine"
resource_group_name = azurerm_resource_group.positive1_1.name
location = azurerm_resource_group.positive1_1.location
size = "Standard_F2"
admin_username = "adminuser"
network_interface_ids = [
azurerm_network_interface.positive1_1.id,
]
# missing "encryption_at_host_enabled"
}
resource "azurerm_linux_virtual_machine" "positive1_2" {
name = "positive1_2-machine"
resource_group_name = azurerm_resource_group.positive1_2.name
location = azurerm_resource_group.positive1_2.location
size = "Standard_F2"
admin_username = "adminuser"
network_interface_ids = [
azurerm_network_interface.positive1_2.id,
]
encryption_at_host_enabled = false # set to false
}
Positive test num. 2 - tf file
resource "azurerm_linux_virtual_machine_scale_set" "positive2_1" {
name = "positive2_1-vmss"
resource_group_name = azurerm_resource_group.positive2_1.name
location = azurerm_resource_group.positive2_1.location
sku = "Standard_F2"
instances = 1
admin_username = "adminuser"
# missing "encryption_at_host_enabled"
}
resource "azurerm_linux_virtual_machine_scale_set" "positive2_2" {
name = "positive2_2-vmss"
resource_group_name = azurerm_resource_group.positive2_2.name
location = azurerm_resource_group.positive2_2.location
sku = "Standard_F2"
instances = 1
admin_username = "adminuser"
encryption_at_host_enabled = false # set to false
}
Positive test num. 3 - tf file
resource "azurerm_windows_virtual_machine" "positive3_1" {
name = "positive3_1-machine"
resource_group_name = azurerm_resource_group.positive3_1.name
location = azurerm_resource_group.positive3_1.location
size = "Standard_F2"
network_interface_ids = [
azurerm_network_interface.positive3_1.id,
]
# missing "encryption_at_host_enabled"
}
resource "azurerm_windows_virtual_machine" "positive3_2" {
name = "positive3_2-machine"
resource_group_name = azurerm_resource_group.positive3_2.name
location = azurerm_resource_group.positive3_2.location
size = "Standard_F2"
network_interface_ids = [
azurerm_network_interface.positive3_2.id,
]
encryption_at_host_enabled = false # set to false
}
Positive test num. 4 - tf file
resource "azurerm_windows_virtual_machine_scale_set" "positive4_1" {
name = "positive4_1-vmss"
resource_group_name = azurerm_resource_group.positive4_1.name
location = azurerm_resource_group.positive4_1.location
sku = "Standard_F2"
computer_name_prefix = "vm-"
# missing "encryption_at_host_enabled"
}
resource "azurerm_windows_virtual_machine_scale_set" "positive4_2" {
name = "positive4_2-machine"
resource_group_name = azurerm_resource_group.positive4_2.name
location = azurerm_resource_group.positive4_2.location
size = "Standard_F2"
network_interface_ids = [
azurerm_network_interface.positive4_2.id,
]
encryption_at_host_enabled = false # set to false
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_linux_virtual_machine" "negative1" {
name = "negative1-machine"
resource_group_name = azurerm_resource_group.negative1.name
location = azurerm_resource_group.negative1.location
size = "Standard_F2"
admin_username = "adminuser"
network_interface_ids = [
azurerm_network_interface.negative1.id,
]
encryption_at_host_enabled = true
}
Negative test num. 2 - tf file
resource "azurerm_linux_virtual_machine_scale_set" "negative2" {
name = "negative2-vmss"
resource_group_name = azurerm_resource_group.negative2.name
location = azurerm_resource_group.negative2.location
sku = "Standard_F2"
instances = 1
admin_username = "adminuser"
encryption_at_host_enabled = true
}
Negative test num. 3 - tf file
resource "azurerm_windows_virtual_machine" "negative3" {
name = "negative3-machine"
resource_group_name = azurerm_resource_group.negative3.name
location = azurerm_resource_group.negative3.location
size = "Standard_F2"
network_interface_ids = [
azurerm_network_interface.negative3.id,
]
encryption_at_host_enabled = true
}