More Info:

Microsoft Azure provides multiple distinct layers of encryption protection for virtual machine (VM) managed disks. VM managed disks are encrypted with Azure Storage encryption, also known as Server-Side Encryption (SSE), using platform-managed keys (PMK), to protect your data at rest and help you meet your organizational security and compliance commitments. By default, VM managed disk volumes (OS and data disk volumes) use platform-managed encryption keys.

Risk Level

High

Address

Security

Compliance Standards

ISO27001, HIPAA, CISAZURE, CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of Server Side Encryption for Boot Disk using CMK in Azure, follow the below steps:
  1. Login to the Azure portal (https://portal.azure.com/)
  2. Navigate to the virtual machine which needs to be remediated.
  3. Click on “Disks” under the “Settings” section of the virtual machine.
  4. Select the boot disk that needs to be encrypted.
  5. In the “Encryption Settings” section, click on “Disk encryption set”.
  6. Click on “Create new” to create a new disk encryption set.
  7. Select the appropriate subscription, resource group and region.
  8. Provide a name for the disk encryption set and select the key vault which contains the Customer Managed Key (CMK).
  9. Click on “Create” to create the disk encryption set.
  10. Once the disk encryption set is created, select the disk encryption set from the “Encryption Settings” section of the boot disk.
  11. Click on “Save” to save the changes.
The boot disk of the virtual machine will now be encrypted using the Customer Managed Key (CMK) stored in the selected key vault.

To remediate the misconfiguration of Server Side Encryption for Boot Disk using CMK in Azure, you can follow the below steps using Azure CLI:
  1. Open Azure CLI and login to your Azure account using the command: az login
  2. Once you are logged in, run the following command to identify the VM’s boot disk that needs to be encrypted: az vm show -g <resource-group-name> -n <vm-name> --query storageProfile.osDisk.managedDisk.id -o tsv
  3. Once you have identified the boot disk, run the following command to enable encryption on the boot disk using a customer-managed key: az disk encryption set --resource-group <resource-group-name> --name <disk-name> --key-url <key-url> --encryption-type <EncryptionType> Replace the following parameters in the command:
    • <resource-group-name>: Name of the resource group where the VM is located.
    • <disk-name>: Name of the disk that needs to be encrypted.
    • <key-url>: URL of the customer-managed key that needs to be used for encryption.
    • <EncryptionType>: Type of encryption to be used. In this case, it would be “EncryptionAtRestWithCustomerKey”.
  4. Once the encryption is enabled, you can verify the status of the encryption using the following command: az disk encryption show --resource-group <resource-group-name> --name <disk-name> --query encryptionSettingsCollection -o json This command will return the encryption settings for the disk in JSON format.
By following the above steps, you can remediate the misconfiguration of Server Side Encryption for Boot Disk using CMK in Azure using Azure CLI.
To remediate Server Side Encryption for Boot Disk using CMK misconfiguration in Azure using Python, you can follow the below steps:
  1. Import the necessary libraries:
from azure.mgmt.compute import ComputeManagementClient
from azure.mgmt.compute.models import DiskEncryptionSetParameters, EncryptionSettings, DiskEncryptionSettings, KeyVaultSecretReference
from azure.identity import DefaultAzureCredential
  1. Set the credentials for authentication:
credential = DefaultAzureCredential()
subscription_id = 'your-subscription-id'
resource_group = 'your-resource-group'
  1. Create an instance of the ComputeManagementClient:
compute_client = ComputeManagementClient(credential, subscription_id)
  1. Get the virtual machine details:
vm_name = 'your-vm-name'
vm = compute_client.virtual_machines.get(resource_group, vm_name)
  1. Get the OS disk details:
os_disk_name = vm.storage_profile.os_disk.name
os_disk = compute_client.disks.get(resource_group, os_disk_name)
  1. Create a DiskEncryptionSetParameters object:
disk_encryption_set_parameters = DiskEncryptionSetParameters(
    identity=None,
    encryption_type='EncryptionAtRestWithCustomerKey',
    disk_encryption_key=None,
    key_encryption_key=None
)
  1. Create an EncryptionSettings object:
encryption_settings = EncryptionSettings(
    enabled=True,
    disk_encryption_set_id='your-disk-encryption-set-id'
)
  1. Create a DiskEncryptionSettings object:
disk_encryption_settings = DiskEncryptionSettings(
    disk_encryption_key=None,
    key_encryption_key=None,
    enabled=True,
    encryption_settings=encryption_settings
)
  1. Create a KeyVaultSecretReference object:
key_vault_secret_reference = KeyVaultSecretReference(
    source_vault=None,
    secret_url='your-cmk-secret-url'
)
  1. Update the OS disk with the new encryption settings:
os_disk.encryption_settings = disk_encryption_settings
os_disk.encryption_settings.disk_encryption_settings.disk_encryption_key.secret_url = key_vault_secret_reference.secret_url
os_disk.encryption_settings.disk_encryption_settings.disk_encryption_key.source_vault = key_vault_secret_reference.source_vault
compute_client.disks.create_or_update(resource_group, os_disk_name, os_disk)
Note: Make sure to replace the placeholders (your-subscription-id, your-resource-group, your-vm-name, your-disk-encryption-set-id, your-cmk-secret-url) with the actual values.These steps will remediate the Server Side Encryption for Boot Disk using CMK misconfiguration in Azure using Python.