Encryption On Managed Disk Disabled
- Query id: a99130ab-4c0e-43aa-97f8-78d4fcb30024
- Query name: Encryption On Managed Disk Disabled
- Platform: Terraform
- Severity: Medium
- Category: Encryption
- CWE: 311
- Risk score: 5.5
- URL: Github
Description¶
Ensure that the encryption is active on the disk
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_managed_disk" "positive1" {
name = "acctestmd"
location = "West US 2"
resource_group_name = azurerm_resource_group.example.name
storage_account_type = "Standard_LRS"
create_option = "Empty"
disk_size_gb = "1"
encryption_settings {
enabled = false # legacy
}
}
resource "azurerm_managed_disk" "positive2" {
name = "acctestmd"
location = "West US 2"
resource_group_name = azurerm_resource_group.example.name
storage_account_type = "Standard_LRS"
create_option = "Empty"
disk_size_gb = "1"
# missing "encryption_settings"
}
resource "azurerm_managed_disk" "positive3" {
name = "acctestmd"
location = "West US 2"
resource_group_name = azurerm_resource_group.example.name
storage_account_type = "Standard_LRS"
create_option = "Empty"
disk_size_gb = "1"
encryption_settings {}
}
resource "azurerm_managed_disk" "positive4" {
name = "acctestmd"
location = "West US 2"
resource_group_name = azurerm_resource_group.example.name
storage_account_type = "Standard_LRS"
create_option = "Empty"
disk_size_gb = "1"
encryption_settings = [] # simulates "tfplan"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_managed_disk" "negative1" {
name = "acctestmd"
location = "West US 2"
resource_group_name = azurerm_resource_group.example.name
storage_account_type = "Standard_LRS"
create_option = "Empty"
disk_size_gb = "1"
encryption_settings {
enabled = true # legacy
}
}
resource "azurerm_managed_disk" "negative2" {
name = "acctestmd"
location = "West US 2"
resource_group_name = azurerm_resource_group.example.name
storage_account_type = "Standard_LRS"
create_option = "Empty"
disk_size_gb = "1"
encryption_settings {
disk_encryption_key {
secret_url = "sample_url"
source_vault_id = "sample_id"
}
key_encryption_key {
secret_url = "sample_url"
source_vault_id = "sample_id"
}
}
}
resource "azurerm_managed_disk" "negative3" {
name = "acctestmd"
location = "West US 2"
resource_group_name = azurerm_resource_group.example.name
storage_account_type = "Standard_LRS"
create_option = "Empty"
disk_size_gb = "1"
encryption_settings {
disk_encryption_key {
secret_url = "sample_url"
source_vault_id = "sample_id"
}
}
}
resource "azurerm_managed_disk" "negative4" {
name = "acctestmd"
location = "West US 2"
resource_group_name = azurerm_resource_group.example.name
storage_account_type = "Standard_LRS"
create_option = "Empty"
disk_size_gb = "1"
encryption_settings {
key_encryption_key {
secret_url = "sample_url"
source_vault_id = "sample_id"
}
}
}