Azure VM Web-Tier Disk Volumes Not Encrypted
ID: azure-vm-web-tier-disk-unencrypted
Severity: high
Author: princechaddha
Tags: cloud,devops,azure,microsoft,azure-vm,azure-cloud-config
Description
Section titled “Description”Ensure that all the disk volumes attached to the Microsoft Azure virtual machines (VMs) launched within the web tier are encrypted to meet security and compliance requirements. This rule assumes all Azure cloud resources in the web tier are tagged with <web_tier_tag>:<web_tier_tag_value>. Tags must be configured on the Cloud Conformity dashboard prior to running this check.
YAML Source
Section titled “YAML Source”id: azure-vm-web-tier-disk-unencryptedinfo: name: Azure VM Web-Tier Disk Volumes Not Encrypted author: princechaddha severity: high description: | Ensure that all the disk volumes attached to the Microsoft Azure virtual machines (VMs) launched within the web tier are encrypted to meet security and compliance requirements. This rule assumes all Azure cloud resources in the web tier are tagged with <web_tier_tag>:<web_tier_tag_value>. Tags must be configured on the Cloud Conformity dashboard prior to running this check. impact: | Unencrypted disk volumes can lead to data breaches and non-compliance with security standards, exposing sensitive information. remediation: | Enable encryption for all disk volumes attached to VMs within the Azure web tier to enhance data security and comply with regulatory requirements. reference: - https://docs.microsoft.com/en-us/azure/virtual-machines/linux/encrypt-disks tags: cloud,devops,azure,microsoft,azure-vm,azure-cloud-config
flow: | code(1); for (let VmData of iterate(template.vmList)) { VmData = JSON.parse(VmData); set("ids", VmData.Id); code(2); }
self-contained: truecode: - engine: - sh - bash source: | az vm list --query '[?(tags.web_tier_tag == "web_tier_tag_value")].{"Id":id}'
extractors: - type: json name: vmList internal: true json: - '.[]'
- engine: - sh - bash source: | az vm encryption show --ids "$ids" --query 'disks'
matchers-condition: and matchers: - type: word part: stderr words: - 'Azure Disk Encryption is not enabled'
extractors: - type: dsl dsl: - 'ids + " in " + " is not encrypted"'# digest: 4b0a00483046022100d70fe7e6ef5bdd1f8eb7a0a38afd19e9d10f9b3e9d57b2142851895a14f6b615022100f12b55c83d3f322ac88ae3ad8f342005a9c05911cac8e2f4b4811470f30e9d52:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/azure/virtualmachines/azure-vm-web-tier-disk-unencrypted.yaml"