Enable Disk Encryption | Vulnerability Database

Ensure AKS cluster has disk encryption set ID configured

Azure Kubernetes clusters should define a disk encryption set ID to ensure encrypted storage for OS and data disks. This provides an additional layer of security by encrypting data at rest.

Impact

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Configure a disk encryption set ID for the AKS cluster to enable customer-managed key encryption.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


resource "azurerm_kubernetes_cluster" "good_example" {
  name                   = "example-aks"
  location               = azurerm_resource_group.example.location
  resource_group_name    = azurerm_resource_group.example.name
  dns_prefix             = "exampleaks"
  disk_encryption_set_id = azurerm_disk_encryption_set.example.id

  default_node_pool {
    name       = "default"
    node_count = 1
    vm_size    = "Standard_D2_v2"
  }
}

Remediation Links

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#disk_encryption_set_id