Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Encryption for Web-Tier Disk Volumes

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: VirtualMachines-012

Ensure that all the disk volumes attached to the Microsoft Azure virtual machines (VMs) launched within the web tier are encrypted in order to meet security and compliance requirements. This conformity rule assumes that all the Azure cloud resources available in your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the tag set defined for the Azure web tier must be configured within the rule settings, on the Cloud Conformity dashboard.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

With encryption enabled, your web-tier disk volumes can safely store sensitive information and ensure data confidentiality. Cloud Conformity strongly recommends enabling encryption at rest for all virtual machine disk volumes deployed in the web tier, in order to protect critical data from attackers or unauthorized personnel.

Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in this conformity rule with your own tag name and value.


Audit

To determine if your web-tier Azure VM disk volumes are encrypted, perform the following actions:

Using Azure Console

01 Sign in to your Cloud Conformity console, access Enable Encryption for Web-Tier Disk Volumes conformity rule settings and identify the tag set defined for Azure resources within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to Azure Management Console.

03 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

04 Choose the Azure subscription that you want to access from the Subscription filter box.

05 From the Type filter box, select Virtual machine to list the virtual machines (VMs) provisioned in the selected subscription.

06 Click on the Add filter box, find the Tags category and select the tag set identified at step no. 1, to return only the web-tier VMs available in the subscription. If no results are returned, there is no Azure virtual machines tagged within your web tier and the audit process ends here. If the Azure Management Console lists one or more VMs, continue with the next step.

07 Click on the name of the virtual machine that you want to examine.

08 In the navigation panel, under Settings, select Disks to view the disk volumes attached to the selected web-tier VM.

09 On the Disks overview page, check the encryption status set for each disk volume attached, available in the Encryption column. If the encryption status is set to Not enabled, the web-tier disk volumes attached to the selected Microsoft Azure virtual machine (VM) are not encrypted.

10 Repeat steps no. 7 – 9 for each web-tier Azure virtual machine available in the selected subscription.

11 Repeat steps no. 4 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Sign in to your Cloud Conformity console, access Enable Encryption for Web-Tier Disk Volumes conformity rule settings and copy the tag set defined for Azure resources within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run vm list command (Windows/macOS/Linux) using the tag set copied at the previous step with custom query filters to list the ID of each virtual machine (VM) provisioned within the web tier:

az vm list
    --query '[?(tags==`{"web_tier_tag":"web_tier_tag_value"}`)].id'

03 The command output should return the requested web-tier VM identifiers (IDs):

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-main-server",
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-public-server"
]

04 Run vm encryption show command (Windows/macOS/Linux) using the ID of the web-tier virtual machine that you want to examine as identifier parameter to describe the encryption configuration metadata available for the disk volume(s) attached to the selected Azure VM:

az vm encryption show
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-main-server"
    --query 'disks'

05 The command output should return the requested configuration metadata:

[
  {
    "encryptionSettings": null,
    "name": "cc-web-main-server_OsDisk",
    "statuses": [
      {
        "code": "EncryptionState/notEncrypted",
        "displayStatus": "Disk is not encrypted",
        "level": "Info",
        "message": null,
        "time": null
      }
    ]
  },
  {
    "encryptionSettings": null,
    "name": "cc-web-main-server_DataDisk1",
    "statuses": [
      {
        "code": "EncryptionState/notEncrypted",
        "displayStatus": "Disk is not encrypted",
        "level": "Info",
        "message": null,
        "time": null
      }
    ]
  }
]

Check the encryption configuration metadata returned by the vm encryption show command output for each VM disk volume. If the encryption status, returned as value for the "displayStatus" attribute is set to "Disk is not encrypted", the web-tier disk volumes attached to the selected Microsoft Azure virtual machine (VM) are not encrypted.

06 Repeat step no. 4 and 5 for every web-tier Azure virtual machine provisioned in the current subscription.

07 Repeat steps no. 2 – 6 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To enable encryption for your web-tier Azure virtual machines disk volumes, perform the following actions:

Note: Azure disk encryption is not currently supported by Basic, A-series VMs. Check the Azure documentation to determine if your virtual machines (VMs) have the minimum memory requirements for disk encryption.

Using Azure Console

01 Sign in to your Cloud Conformity console, access Enable Encryption for Web-Tier Disk Volumes conformity rule settings and copy the tag set defined for Azure resources within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to Azure Management Console.

03 Navigate to Key Vaults blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.KeyVault%2Fvaults and click + Add to create the Azure Key Vault that will store the disk volume encryption key.

04 On the Create key vault page, perform the following:

  1. On the Basics panel, choose the appropriate subscription, provide a unique name for the new key vault, then select the Azure region and the resource group where the vault will be deployed. Click Next : Access policy > to continue.
  2. On the Access policy panel, select Azure Disk Encryption for volume encryption to allow Azure Disk Encryption to retrieve secrets from the vault and unwrap encryption keys. Click Next : Virtual network > to continue the process.
  3. On the Virtual network panel, configure the network access control for the new key vault. Click Next : Tags > to continue.
  4. On the Tags panel, use the Name and Value fields to create tags that will help organize the identity of the key vault. Use the following format when you define your own tag set: <web_tier_tag>:<web_tier_tag_value> and make sure the tag name (<web_tier_tag>) and the tag value (<web_tier_tag_value>) match the tag set used to organize your web-tier Azure resources, copied at step no. 1. Click Next : Review + create > to finish the setup process.
  5. On the Review + create panel, review the resource configuration details, then click Create to create your new Azure Key Vault.

05 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

06 Choose the Azure subscription that you want to access from the Subscription filter box.

07 From the Type filter box, select Virtual machine to list the virtual machines provisioned in the selected subscription.

08 Click on the name of the web-tier virtual machine that you want to reconfigure (see Audit section part II to identify the right VM).

09 In the navigation panel, under Settings, select Disks to access the disk volumes attached to the selected web-tier VM.

10 On the Disks page, click Encryption to access the encryption configuration settings for the attached volumes.

11 On the Encryption page, select OS and data disks from Disks to encrypt dropdown list and use Select a key vault and key for encryption link to add the Azure Key Vault created earlier. Click Save to apply the configuration changes and enable encryption. Azure Disk Encryption (ADE) service will use the selected key vault to generate and store the key required to encrypt the web-tier disk volumes attached to the selected Microsoft Azure virtual machine.

12 Repeat steps no. 8 – 11 for each web-tier virtual machine (VM) available within the selected subscription.

13 Repeat steps no. 3 – 12 for each subscription created in your Microsoft Azure cloud account.

Using Azure Console

01 Sign in to your Cloud Conformity console, access Enable Encryption for Web-Tier Disk Volumes conformity rule settings and copy the tag set defined for Azure resources within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run keyvault create command (Windows/macOS/Linux) to create the Microsoft Azure Key Vault where the required disk volume encryption key will be placed. Make sure that you set the --enabled-for-disk-encryption parameter to true for VM disk encryption support. Use the following format when you define your own tag set: <web_tier_tag>:<web_tier_tag_value> and make sure the tag name (<web_tier_tag>) and the tag value (<web_tier_tag_value>) match the tag set used to organize your web-tier Azure resources, copied at step no. 1.

az keyvault create
    --name cc-web-key-vault
    --resource-group cloud-shell-storage-westeurope
    --location westeurope
    --enable-soft-delete true
    --enable-purge-protection true
    --enabled-for-disk-encryption true
    --tags web_tier_tag=web_tier_tag_value

03 The command output should return the configuration metadata for the newly created Azure Key Vault:

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-web-key-vault",
  "location": "westeurope",
  "name": "cc-web-key-vault",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "1234abcd-1234-abcd-1234-abcd1234abcd",
        "permissions": {
          "certificates": [
            "get",
            "list",
            "delete",
            "create",
            "import",
            "update",
            "managecontacts",
            "getissuers",
            "listissuers",
            "setissuers",
            "deleteissuers",
            "manageissuers",
            "recover"
          ],
          "keys": [
            "get",
            "create",
            "delete",
            "list",
            "update",
            "import",
            "backup",
            "restore",
            "recover"
          ],
          "secrets": [
            "get",
            "list",
            "set",
            "delete",
            "backup",
            "restore",
            "recover"
          ],
          "storage": [
            "get",
            "list",
            "delete",
            "set",
            "update",
            "regeneratekey",
            "setsas",
            "listsas",
            "getsas",
            "deletesas"
          ]
        },
        "tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": true,
    "enableSoftDelete": true,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": true,
    "enabledForTemplateDeployment": null,
    "networkAcls": null,
    "provisioningState": "Succeeded",
    "sku": {
      "name": "standard"
    },
    "tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd",
    "vaultUri": "https://cc-web-key-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": {
    "web_tier_tag": "web_tier_tag_value"
  },
  "type": "Microsoft.KeyVault/vaults"
}

04 Run vm encryption enable command (Windows/macOS/Linux) using the ID of the web-tier virtual machine that you want to reconfigure (see Audit section part II to identify the right VM) and the name of the new key vault as identifier parameters, to enable encryption at rest for the web-tier disk volumes attached to the selected virtual machine:

az vm encryption enable
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-main-server"
    --disk-encryption-keyvault cc-web-key-vault
    --volume-type ALL

05 The command output should return a confirmation message, such as:

The encryption request was accepted. Please use 'show' command to monitor the progress.

06 Run vm encryption show command (Windows/macOS/Linux) using the ID of the reconfigured web-tier virtual machine (VM) as identifier parameter to confirm the encryption status by listing the encryption configuration available for the web-tier disk volumes encrypted at the previous steps:

az vm encryption show
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-web-main-server"
    --query 'disks'

07 The command output should return the disk volumes encryption configuration information:

[
  {
    "encryptionSettings": [
      {
        "diskEncryptionKey": {
          "secretUrl": "https://cc-web-tier-vault.vault.azure.net/secrets/abcdabcd-1234-abcd-1234-abcdabcdabcd/12345678901234567890123456789012",
          "sourceVault": {
            "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-web-tier-vault"
          }
        },
        "enabled": true,
        "keyEncryptionKey": null
      }
    ],
    "name": "cc-web-main-server_OsDisk",
    "statuses": [
      {
        "code": "EncryptionState/encrypted",
        "displayStatus": "Encryption is enabled on disk",
        "level": "Info",
        "message": null,
        "time": null
      }
    ]
  },
  {
    "encryptionSettings": [
      {
        "diskEncryptionKey": {
          "secretUrl": "https://cc-web-tier-vault.vault.azure.net/secrets/abcdabcd-1234-abcd-1234-abcdabcdabcd/12345678901234567890123456789012",
          "sourceVault": {
            "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-web-tier-vault"
          }
        },
        "enabled": true,
        "keyEncryptionKey": null
      }
    ],
    "name": "cc-web-main-server_DataDisk1",
    "statuses": [
      {
        "code": "EncryptionState/encrypted",
        "displayStatus": "Encryption is enabled on disk",
        "level": "Info",
        "message": null,
        "time": null
      }
    ]
  }
]

08 Repeat steps no. 4 – 7 for each Azure web-tier virtual machine provisioned in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Jun 24, 2020