Server Side Encryption for Unattached Disk using CMK
More Info:
Microsoft Azure provides multiple distinct layers of encryption protection for virtual machine (VM) managed disks. VM managed disks are encrypted with Azure Storage encryption, also known as Server-Side Encryption (SSE), using platform-managed keys (PMK), to protect your data at rest and help you meet your organizational security and compliance commitments. By default, VM managed disk volumes (regardless of the VM attachment status) use platform-managed encryption keys. However, in order to have a more granular control over your data encryption/decryption process, it is strongly recommended to use your own keys (CMKs) instead of platform-managed keys (PMKs) for data (non-boot) disk volume encryption.Risk Level
HighAddress
SecurityCompliance Standards
HIPAA, CISAZURE, CBP, ISO27001Triage and Remediation
Remediation
Using Console
Using Console
Sure, here are the step-by-step instructions to remediate the misconfiguration of Server Side Encryption for Unattached Disk using CMK in Azure:
- Login to the Azure portal (https://portal.azure.com/).
- Navigate to the Azure Disk Encryption extension.
- Click on “Disk Encryption Sets” on the left-hand side menu.
- Select the disk encryption set that you want to remediate.
- Click on the “Key vault” tab.
- Select the Key Vault that you want to use for encryption.
- Click on “Save” to save the changes.
Using CLI
Using CLI
To remediate the misconfiguration of server-side encryption for unattached disk using CMK in Azure using Azure CLI, you can follow these steps:
-
Firstly, you need to identify the unattached disks in your Azure subscription. You can use the following Azure CLI command to list all the unattached disks:
az disk list --query "[?managedBy==null]" -
Once you have identified the unattached disks, you can use the following Azure CLI command to enable server-side encryption for those disks using a customer-managed key (CMK):
az disk encryption set --resource-group <resource-group-name> --name <disk-name> --encryption-type EncryptionAtRestWithCustomerKey --disk-encryption-key <key-uri> --key-encryption-key <key-uri>Here, replace<resource-group-name>with the name of the resource group containing the unattached disk,<disk-name>with the name of the unattached disk,<key-uri>with the URI of the customer-managed key (CMK) that you want to use for encryption. -
Once the encryption is enabled for the unattached disk, you can verify the encryption status using the following Azure CLI command:
az disk show --resource-group <resource-group-name> --name <disk-name> --query "encryptionSettings.collection[].diskEncryptionKey"This command will show the encryption status of the disk and the key used for encryption. - Repeat the above steps for all the unattached disks in your Azure subscription to ensure that they are all encrypted using a customer-managed key (CMK).
Using Python
Using Python
To remediate the misconfiguration of Server Side Encryption for Unattached Disk using CMK in Azure using Python, you can follow the below steps:
- Install the Azure SDK for Python using the following command:
- Authenticate with Azure by creating a service principal and assigning the appropriate permissions.
- Use the following Python code to enable Server Side Encryption for Unattached Disk using CMK:
-
Replace the placeholders
<subscription_id>,<resource_group_name>,<disk_name>,<encryption_set_name>,<client_id>,<client_secret>, and<tenant_id>with the appropriate values. - Run the Python script to enable Server Side Encryption for Unattached Disk using CMK in Azure.