AzPolicyAdvertizer

last sync: 2024-Nov-25 18:54:24 UTC

Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost.

Azure BuiltIn Policy definition

Source Azure Portal
Display name Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost.
Id ca88aadc-6e2b-416c-9de2-5a0f01d1693f
Version 1.2.1
Details on versioning
Versioning Versions supported for Versioning: 3
1.1.0-preview
1.2.0-preview
1.2.1
Built-in Versioning [Preview]
Category Guest Configuration
Microsoft Learn
Description Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases IF (8)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Compute/imageOffer Microsoft.Compute
Microsoft.Compute
Microsoft.Compute		 virtualMachines
virtualMachineScaleSets
disks		 properties.storageProfile.imageReference.offer
properties.virtualMachineProfile.storageProfile.imageReference.offer
properties.creationData.imageReference.id		 True
True
True

False
False
False
Microsoft.Compute/imagePublisher Microsoft.Compute
Microsoft.Compute
Microsoft.Compute		 virtualMachines
virtualMachineScaleSets
disks		 properties.storageProfile.imageReference.publisher
properties.virtualMachineProfile.storageProfile.imageReference.publisher
properties.creationData.imageReference.id		 True
True
True

False
False
False
Microsoft.Compute/imageSKU Microsoft.Compute
Microsoft.Compute
Microsoft.Compute		 virtualMachines
virtualMachineScaleSets
disks		 properties.storageProfile.imageReference.sku
properties.virtualMachineProfile.storageProfile.imageReference.sku
properties.creationData.imageReference.id		 True
True
True

False
False
False
Microsoft.Compute/virtualMachines/additionalCapabilities.ultraSSDEnabled Microsoft.Compute virtualMachines properties.additionalCapabilities.ultraSSDEnabled True True
Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration Microsoft.Compute virtualMachines properties.osProfile.linuxConfiguration True True
Microsoft.Compute/virtualMachines/securityProfile.securityType Microsoft.Compute virtualMachines properties.securityProfile.securityType True False
Microsoft.Compute/virtualMachines/sku.name Microsoft.Compute virtualMachines properties.hardwareProfile.vmSize True True
Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType Microsoft.Compute virtualMachines properties.storageProfile.osDisk.osType True True
THEN-ExistenceCondition (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus Microsoft.GuestConfiguration guestConfigurationAssignments properties.complianceStatus True False
Rule resource types IF (1)
Microsoft.Compute/virtualMachines
Compliance
The following 2 compliance controls are associated with this Policy definition 'Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost.' (ca88aadc-6e2b-416c-9de2-5a0f01d1693f)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 DP-4 Azure_Security_Benchmark_v3.0_DP-4 Microsoft cloud security benchmark DP-4 Data Protection Enable data at rest encryption by default Shared **Security Principle:** To complement access controls, data at rest should be protected against 'out of band' attacks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data. **Azure Guidance:** Many Azure services have data at rest encryption enabled by default at the infrastructure layer using a service-managed key. Where technically feasible and not enabled by default, you can enable data at rest encryption in the Azure services, or in your VMs for storage level, file level, or database level encryption. **Implementation and additional context:** Understand encryption at rest in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest#encryption-at-rest-in-microsoft-cloud-services Data at rest double encryption in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-models Encryption model and key management table: https://docs.microsoft.com/azure/security/fundamentals/encryption-models n/a link 8
NL_BIO_Cloud_Theme U.11.3(2) NL_BIO_Cloud_Theme_U.11.3(2) NL_BIO_Cloud_Theme_U.11.3(2) U.11 Cryptoservices Encrypted n/a Sensitive data (on transport and at rest) is always encrypted, with private keys managed by the CSC. The use of a private key by the CSP is based on a controlled procedure and must be jointly agreed with the CSC organisation. 52
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-04-12 17:45:57 change Patch, old suffix: preview (1.2.0-preview > 1.2.1)
2024-01-22 17:47:54 change Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)
2023-03-03 18:43:58 change Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
2022-09-30 16:34:23 add ca88aadc-6e2b-416c-9de2-5a0f01d1693f
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC