Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Encryption for App-Tier Disk Volumes

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: VirtualMachines-016

Ensure that all the disk volumes attached to the Microsoft Azure virtual machines (VMs) provisioned within the application tier are encrypted in order to meet security and compliance requirements. This conformity rule assumes that all the Azure cloud resources available in your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> represents the tag name and <app_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the tags chosen for the app-tier must be configured within the rule settings, on the Cloud Conformity dashboard.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

With encryption enabled, your app-tier VM disk volumes can safely store sensitive data and ensure confidentiality. Cloud Conformity strongly recommends that all Azure virtual machine disk volumes provisioned for the app tier should be encrypted in order to protect sensitive data from attackers or unauthorized users.

Note: Make sure that all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content are replaced with your own tag name and value.


Audit

To determine if your app-tier Azure VM disk volumes are encrypted, perform the following actions:

Using Azure Console

01 Sign in to your Cloud Conformity console, access Enable Encryption for App-Tier Disk Volumes conformity rule settings and identify the tag set defined for Azure resources within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Sign in to Azure Management Console.

03 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

04 Choose the Azure subscription that you want to access from the Subscription filter box.

05 From the Type filter box, select Virtual machine to list the virtual machines (VMs) provisioned in the selected subscription.

06 Click on the Add filter box, find the Tags category and select the tag set identified at step no. 1, to return only the app-tier VMs available in the subscription. If no results are returned, there is no Azure virtual machines tagged within your app tier and the audit process ends here. If the Azure Management Console lists one or more VMs, continue with the next step.

07 Click on the name of the virtual machine that you want to examine.

08 In the navigation panel, under Settings, select Disks to view the disk volumes attached to the selected app-tier VM.

09 On the Disks overview page, check the encryption status set for each disk volume attached, available in the Encryption column. If the encryption status is set to Not enabled, the app-tier disk volumes attached to the selected Microsoft Azure virtual machine (VM) are not encrypted.

10 Repeat steps no. 7 – 9 for each app-tier Azure virtual machine available in the selected subscription.

11 Repeat steps no. 4 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Sign in to your Cloud Conformity console, access Enable Encryption for App-Tier Disk Volumes conformity rule settings and copy the tag set defined for Azure resources within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Run vm list command (Windows/macOS/Linux) using the tag set copied at the previous step with custom query filters to list the ID of each virtual machine (VM) provisioned within the app tier:

az vm list
    --query '[?(tags==`{"app_tier_tag":"app_tier_tag_value"}`)].id'

03 The command output should return the requested app-tier VM identifiers (IDs):

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-app-public-server",
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-app-main-server"
]

04 Run vm encryption show command (Windows/macOS/Linux) using the ID of the app-tier virtual machine that you want to examine as identifier parameter to describe the encryption configuration metadata available for the disk volume(s) attached to the selected Azure VM:

az vm encryption show
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-app-public-server"
    --query 'disks'

05 The command output should return the requested configuration metadata:

[
  {
    "encryptionSettings": null,
    "name": "cc-app-public-server_OsDisk",
    "statuses": [
      {
        "code": "EncryptionState/notEncrypted",
        "displayStatus": "Disk is not encrypted",
        "level": "Info",
        "message": null,
        "time": null
      }
    ]
  },
  {
    "encryptionSettings": null,
    "name": "cc-app-public-server_DataDisk1",
    "statuses": [
      {
        "code": "EncryptionState/notEncrypted",
        "displayStatus": "Disk is not encrypted",
        "level": "Info",
        "message": null,
        "time": null
      }
    ]
  }
]

Check the encryption configuration metadata returned by the vm encryption show command output for each VM disk volume. If the encryption status, returned as value for the "displayStatus" attribute is set to "Disk is not encrypted", the app-tier disk volumes attached to the selected Microsoft Azure virtual machine (VM) are not encrypted.

06 Repeat step no. 4 and 5 for every app-tier Azure virtual machine provisioned in the current subscription.

07 Repeat steps no. 2 – 6 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To enable encryption for your app-tier Azure virtual machines disk volumes, perform the following actions:

Note: Azure disk encryption is not currently supported by Basic, A-series VMs. Check the Azure documentation to determine if your virtual machines (VMs) have the minimum memory requirements for disk encryption.

Using Azure Console

01 Sign in to your Cloud Conformity console, access Enable Encryption for App-Tier Disk Volumes conformity rule settings and copy the tag set defined for Azure resources within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Sign in to Azure Management Console.

03 Navigate to Key Vaults blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.KeyVault%2Fvaults and click + Add to create the Azure Key Vault that will store the disk volume encryption key.

04 On the Create key vault page, perform the following:

  1. On the Basics panel, choose the appropriate subscription, provide a unique name for the new key vault, then select the Azure region and the resource group where the vault will be deployed. Click Next : Access policy > to continue.
  2. On the Access policy panel, select Azure Disk Encryption for volume encryption to allow Azure Disk Encryption to retrieve secrets from the vault and unwrap encryption keys. Click Next : Virtual network > to continue the process.
  3. On the Virtual network panel, configure the network access control for the new key vault. Click Next : Tags > to continue.
  4. On the Tags panel, use the Name and Value fields to create tags that will help organize the identity of the key vault. Use the following format when you define your own tag set: <app_tier_tag>:<app_tier_tag_value> and make sure the tag name (<app_tier_tag>) and the tag value (<app_tier_tag_value>) match the tag set used to organize your app-tier Azure resources, copied at step no. 1. Click Next : Review + create > to finish the setup process.
  5. On the Review + create panel, review the resource configuration details, then click Create to create your new Azure Key Vault.

05 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

06 Choose the Azure subscription that you want to access from the Subscription filter box.

07 From the Type filter box, select Virtual machine to list the virtual machines provisioned in the selected subscription.

08 Click on the name of the app-tier virtual machine that you want to reconfigure (see Audit section part II to identify the right VM).

09 In the navigation panel, under Settings, select Disks to access the disk volumes attached to the selected app-tier VM.

10 On the Disks page, click Encryption to access the encryption configuration settings for the attached volumes.

11 On the Encryption page, select OS and data disks from Disks to encrypt dropdown list and use Select a key vault and key for encryption link to add the Azure Key Vault created earlier. Click Save to apply the configuration changes and enable encryption. Azure Disk Encryption (ADE) service will use the selected key vault to generate and store the key required to encrypt the app-tier disk volumes attached to the selected Microsoft Azure virtual machine.

12 Repeat steps no. 8 – 11 for each app-tier virtual machine (VM) available within the selected subscription.

13 Repeat steps no. 3 – 12 for each subscription created in your Microsoft Azure cloud account.

Using Azure Console

01 Sign in to your Cloud Conformity console, access Enable Encryption for App-Tier Disk Volumes conformity rule settings and copy the tag set defined for Azure resources within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Run keyvault create command (Windows/macOS/Linux) to create the Microsoft Azure Key Vault where the required disk volume encryption key will be placed. Make sure that you set the --enabled-for-disk-encryption parameter to true for VM disk encryption support. Use the following format when you define your own tag set: <app_tier_tag>:<app_tier_tag_value> and make sure the tag name (<app_tier_tag>) and the tag value (<app_tier_tag_value>) match the tag set used to organize your app-tier Azure resources, copied at step no. 1.

az keyvault create
    --name cc-application-key-vault
    --resource-group cloud-shell-storage-westeurope
    --location westeurope
    --enable-soft-delete true
    --enable-purge-protection true
    --enabled-for-disk-encryption true
    --tags app_tier_tag=app_tier_tag_value

03 The command output should return the configuration metadata for the newly created Azure Key Vault:

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-application-key-vault",
  "location": "westeurope",
  "name": "cc-application-key-vault",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "1234abcd-1234-abcd-1234-abcd1234abcd",
        "permissions": {
          "certificates": [
            "get",
            "list",
            "delete",
            "create",
            "import",
            "update",
            "managecontacts",
            "getissuers",
            "listissuers",
            "setissuers",
            "deleteissuers",
            "manageissuers",
            "recover"
          ],
          "keys": [
            "get",
            "create",
            "delete",
            "list",
            "update",
            "import",
            "backup",
            "restore",
            "recover"
          ],
          "secrets": [
            "get",
            "list",
            "set",
            "delete",
            "backup",
            "restore",
            "recover"
          ],
          "storage": [
            "get",
            "list",
            "delete",
            "set",
            "update",
            "regeneratekey",
            "setsas",
            "listsas",
            "getsas",
            "deletesas"
          ]
        },
        "tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": true,
    "enableSoftDelete": true,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": true,
    "enabledForTemplateDeployment": null,
    "networkAcls": null,
    "provisioningState": "Succeeded",
    "sku": {
      "name": "standard"
    },
    "tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd",
    "vaultUri": "https://cc-application-key-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": {
    "app_tier_tag": "app_tier_tag_value"
  },
  "type": "Microsoft.KeyVault/vaults"
}

04 Run vm encryption enable command (Windows/macOS/Linux) using the ID of the app-tier virtual machine that you want to reconfigure (see Audit section part II to identify the right VM) and the name of the new key vault as identifier parameters, to enable encryption at rest for the app-tier disk volumes attached to the selected virtual machine:

az vm encryption enable
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-app-public-server"
    --disk-encryption-keyvault cc-application-key-vault
    --volume-type ALL

05 The command output should return a confirmation message, such as:

The encryption request was accepted. Please use 'show' command to monitor the progress.

06 Run vm encryption show command (Windows/macOS/Linux) using the ID of the reconfigured app-tier virtual machine (VM) as identifier parameter to confirm the encryption status by listing the encryption configuration available for the app-tier disk volumes encrypted at the previous steps:

az vm encryption show
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-app-public-server"
    --query 'disks'

07 The command output should return the disk volumes encryption configuration information:

[
  {
    "encryptionSettings": [
      {
        "diskEncryptionKey": {
          "secretUrl": "https://cc-application-tier-vault.vault.azure.net/secrets/abcdabcd-1234-abcd-1234-abcdabcdabcd/12345678901234567890123456789012",
          "sourceVault": {
            "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-application-tier-vault"
          }
        },
        "enabled": true,
        "keyEncryptionKey": null
      }
    ],
    "name": "cc-app-public-server_OsDisk",
    "statuses": [
      {
        "code": "EncryptionState/encrypted",
        "displayStatus": "Encryption is enabled on disk",
        "level": "Info",
        "message": null,
        "time": null
      }
    ]
  },
  {
    "encryptionSettings": [
      {
        "diskEncryptionKey": {
          "secretUrl": "https://cc-application-tier-vault.vault.azure.net/secrets/abcdabcd-1234-abcd-1234-abcdabcdabcd/12345678901234567890123456789012",
          "sourceVault": {
            "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-application-tier-vault"
          }
        },
        "enabled": true,
        "keyEncryptionKey": null
      }
    ],
    "name": "cc-app-public-server_DataDisk1",
    "statuses": [
      {
        "code": "EncryptionState/encrypted",
        "displayStatus": "Encryption is enabled on disk",
        "level": "Info",
        "message": null,
        "time": null
      }
    ]
  }
]

08 Repeat steps no. 4 – 7 for each Azure app-tier virtual machine provisioned in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Jun 24, 2020

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Encryption for App-Tier Disk Volumes

Risk Level: High