Server side encryption non boot disk cmk remediation

Using Console

Using CLI

To remediate the misconfiguration “Server Side Encryption for Non-Boot Disk using CMK” for AZURE using AZURE CLI, please follow the below steps:Step 1: Open the Azure CLI on your local machine.Step 2: Run the following command to list all the disks in your subscription:

az disk list

Step 3: Identify the disk that is not using Server-Side Encryption with Customer-Managed Keys (CMK).Step 4: Run the following command to enable Server-Side Encryption with CMK for the identified disk:

az disk update --resource-group <resource-group-name> --name <disk-name> --encryption-type EncryptionAtRestWithCustomerKey --disk-encryption-key $(az keyvault secret show --vault-name <key-vault-name> --name <key-name> --query id -o tsv)

Note: Replace <resource-group-name> with the name of the resource group that contains the disk, <disk-name> with the name of the disk, <key-vault-name> with the name of the Key Vault, and <key-name> with the name of the key.Step 5: Verify that the disk is now using Server-Side Encryption with CMK by running the following command:

az disk show --resource-group <resource-group-name> --name <disk-name> --query encryptionSettings.diskEncryptionKey.encryptionType

The output should be EncryptionAtRestWithCustomerKey.Step 6: Repeat the above steps for all the disks in your subscription that are not using Server-Side Encryption with CMK.By following the above steps, you can remediate the misconfiguration “Server Side Encryption for Non-Boot Disk using CMK” for AZURE using AZURE CLI.

Using Python

To remediate the misconfiguration of Server Side Encryption for Non-Boot Disk using CMK in AZURE using python, you can follow the below steps:

Import the required libraries:

from azure.identity import DefaultAzureCredential
from azure.mgmt.compute import ComputeManagementClient
from azure.mgmt.storage import StorageManagementClient

Authenticate with Azure using DefaultAzureCredential:

credential = DefaultAzureCredential()
subscription_id = 'your_subscription_id'
compute_client = ComputeManagementClient(credential, subscription_id)
storage_client = StorageManagementClient(credential, subscription_id)

Get the list of all the virtual machines in the subscription:

vm_list = compute_client.virtual_machines.list_all()

Loop through all the virtual machines and get the disks attached to them:

for vm in vm_list:
    disk_ids = []
    for disk in vm.storage_profile.data_disks:
        disk_ids.append(disk.managed_disk.id)

Check if the disks have server-side encryption enabled:

for disk_id in disk_ids:
    encryption = storage_client.disks.get_encryption_status(disk_id)
    if encryption.disk_encryption_key:
        print("Disk with ID {} is encrypted with CMK.".format(disk_id))
    else:
        print("Disk with ID {} is not encrypted with CMK.".format(disk_id))

If the disk is not encrypted with CMK, enable encryption using the following code:

encryption_set_id = '/subscriptions/{}/resourceGroups/{}/providers/Microsoft.KeyVault/vaults/{}/encryptionKeys/{}/encryptionKeyVersions/{}'.format(subscription_id, resource_group_name, key_vault_name, key_name, key_version)
encryption_settings = storage_client.encryption_services.get(resource_group_name, account_name, 'blob')
encryption_settings.encryption_services[0].key_vault_properties.key_uri = encryption_set_id
storage_client.encryption_services.create_or_update(resource_group_name, account_name, 'blob', encryption_settings)

Note: Replace the placeholders your_subscription_id, resource_group_name, key_vault_name, key_name, key_version, and account_name with your own values.These steps should help you remediate the misconfiguration of Server Side Encryption for Non-Boot Disk using CMK in AZURE using python.

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Server side encryption non boot disk cmk remediation

Triage and Remediation

Remediation