Aqua CSPM

Unmanaged Disk Encryption

Quick Info

Plugin TitleUnmanaged Disk Encryption
CloudAZURE
CategoryDisks
DescriptionEnsures that unmanaged disks are encrypted
More InfoEncrypting unmanaged data disks (non-boot volume) ensures that the entire contents are fully unrecoverable without a key, protecting the volume from unwarranted reads.
AZURE Linkhttps://docs.microsoft.com/en-us/azure/security-center/security-center-apply-disk-encryption
Recommended ActionEnable Data Disk Encryption on all unmanaged disks

Detailed Remediation Steps

  1. Log into the Microsoft Azure Management Console.
  2. Select the “Search resources, services, and docs” option at the top and search for Security Center.
  3. On the “Security Center” page, scroll down the left navigation panel and choose “Recommnedations” under the “RESOURCE SECURITY HYGIENE."
  4. On the “Security Center - Recommendations” page if the “Disk encryption should be applied on virtual machines” is under the “Recommendations” then there is no protecting the volume from unwarranted reads.
  5. Repeat steps number 2 - 4 to check other “Security Recommendations.”
  6. Navigate to “Security Center”, scroll down the left navigation panel and choose the “Recommnedations” and under the “Security Center - Recommendations” page follow the instructions to apply encryption to these VMs.
  7. On the “Security Center - Recommendations Disk encryption should be applied on virtual machines”, scroll down the page and under the “Remediation steps” click on the “Encryption Instructions” link.
  8. On the “Security Center” page, scroll down the left navigation panel and choose the “Security Policy” under the “POLICY & COMPLIANCE."
  9. On the “Security Policy” page, click on the name of the subscription that needs to reconfigure.
  10. On the “Security policy” page select the “ASC Default” policy assignment to edit the subscription configuration settings.
  11. On the selected policy assignment scroll down the page and “select AuditIfNotExists” from “Monitor disk encryption” dropdown list to enable disk encryption monitoring under “Parameters."
  12. Scroll down the page and click on the “Assign” button to make the changes.
  13. Repeat steps number 6 - 12 to enable Data Disk Encryption on all unmanaged disks.