Azure Disk Encryption Not Enabled for Unattached Disk Volumes
ID: azure-disk-encryption-unattached-volumes
Severity: medium
Author: princechaddha
Tags: cloud,devops,azure,microsoft,disk-encryption,azure-cloud-config
Description
Section titled “Description”Ensure that your detached Microsoft Azure virtual machine (VM) disk volumes are encrypted using Azure Disk Encryption in order to meet security and compliance requirements. ADE encrypts the OS and data disks of Azure virtual machines (VMs) inside your VMs using the CPU via the DM-Crypt feature for Linux or the BitLocker feature for Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. The unattached disk volumes encryption and decryption is handled transparently and does not require any additional action from you, your Azure virtual machine, or your application.
YAML Source
Section titled “YAML Source”id: azure-disk-encryption-unattached-volumesinfo: name: Azure Disk Encryption Not Enabled for Unattached Disk Volumes author: princechaddha severity: medium description: | Ensure that your detached Microsoft Azure virtual machine (VM) disk volumes are encrypted using Azure Disk Encryption in order to meet security and compliance requirements. ADE encrypts the OS and data disks of Azure virtual machines (VMs) inside your VMs using the CPU via the DM-Crypt feature for Linux or the BitLocker feature for Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. The unattached disk volumes encryption and decryption is handled transparently and does not require any additional action from you, your Azure virtual machine, or your application. impact: | Unencrypted detached disk volumes can expose sensitive data and violate compliance and security policies. remediation: | Encrypt all unattached disk volumes using Azure Disk Encryption integrated with Azure Key Vault to ensure data is protected even when disks are detached. reference: - https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-cli tags: cloud,devops,azure,microsoft,disk-encryption,azure-cloud-config
flow: | code(1); for (let DiskData of iterate(template.diskList)) { set("ids", DiskData); code(2); }
self-contained: truecode: - engine: - sh - bash source: | az disk list --query '[?diskState == `Unattached`].{"id":id}'
extractors: - type: json name: diskList internal: true json: - '.[]'
- engine: - sh - bash source: | az disk show --ids "$ids" --query '{encryptionSettingsCollection: encryptionSettingsCollection}'
matchers: - type: word words: - '"encryptionSettingsCollection": null'
extractors: - type: dsl dsl: - 'ids + " disk volume is not encrypted"'# digest: 4b0a00483046022100f1ced400222be5688bbc32e9fc904905f52322353235d31f32302d42dac39e0e022100ff9eb213a4e322623d7895a123b5f2b643327880712ef9057d7a5eea79a08f3a:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/azure/virtualmachines/azure-disk-encryption-unattached-volumes.yaml"