More Info:

Microsoft Azure provides multiple distinct layers of encryption protection for virtual machine (VM) managed disks. VM managed disks are encrypted with Azure Storage encryption, also known as Server-Side Encryption (SSE), using platform-managed keys (PMK), to protect your data at rest and help you meet your organizational security and compliance commitments. By default, VM managed disk volumes (regardless of the VM attachment status) use platform-managed encryption keys. However, in order to have a more granular control over your data encryption/decryption process, it is strongly recommended to use your own keys (CMKs) instead of platform-managed keys (PMKs) for data (non-boot) disk volume encryption.

Risk Level

High

Address

Security

Compliance Standards

HIPAA, CISAZURE, CBP, ISO27001

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the misconfiguration of Server Side Encryption for Unattached Disk using CMK in Azure:
  1. Login to the Azure portal (https://portal.azure.com/).
  2. Navigate to the Azure Disk Encryption extension.
  3. Click on “Disk Encryption Sets” on the left-hand side menu.
  4. Select the disk encryption set that you want to remediate.
  5. Click on the “Key vault” tab.
  6. Select the Key Vault that you want to use for encryption.
  7. Click on “Save” to save the changes.
Once you have completed these steps, Azure will encrypt the unattached disks using the CMK specified in the Key Vault that you selected.

To remediate the misconfiguration of server-side encryption for unattached disk using CMK in Azure using Azure CLI, you can follow these steps:
  1. Firstly, you need to identify the unattached disks in your Azure subscription. You can use the following Azure CLI command to list all the unattached disks: az disk list --query "[?managedBy==null]"
  2. Once you have identified the unattached disks, you can use the following Azure CLI command to enable server-side encryption for those disks using a customer-managed key (CMK): az disk encryption set --resource-group <resource-group-name> --name <disk-name> --encryption-type EncryptionAtRestWithCustomerKey --disk-encryption-key <key-uri> --key-encryption-key <key-uri> Here, replace <resource-group-name> with the name of the resource group containing the unattached disk, <disk-name> with the name of the unattached disk, <key-uri> with the URI of the customer-managed key (CMK) that you want to use for encryption.
  3. Once the encryption is enabled for the unattached disk, you can verify the encryption status using the following Azure CLI command: az disk show --resource-group <resource-group-name> --name <disk-name> --query "encryptionSettings.collection[].diskEncryptionKey" This command will show the encryption status of the disk and the key used for encryption.
  4. Repeat the above steps for all the unattached disks in your Azure subscription to ensure that they are all encrypted using a customer-managed key (CMK).
By following the above steps, you can remediate the misconfiguration of server-side encryption for unattached disk using CMK in Azure using Azure CLI.
To remediate the misconfiguration of Server Side Encryption for Unattached Disk using CMK in Azure using Python, you can follow the below steps:
  1. Install the Azure SDK for Python using the following command:
pip install azure-mgmt-compute
  1. Authenticate with Azure by creating a service principal and assigning the appropriate permissions.
  2. Use the following Python code to enable Server Side Encryption for Unattached Disk using CMK: 
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.compute import ComputeManagementClient
from azure.mgmt.compute.models import DiskEncryptionSetParameters, EncryptionSetIdentity
from azure.mgmt.resource import ResourceManagementClient

# Set subscription ID, resource group name, disk name, and encryption set name
subscription_id = '<subscription_id>'
resource_group_name = '<resource_group_name>'
disk_name = '<disk_name>'
encryption_set_name = '<encryption_set_name>'

# Set service principal credentials
credentials = ServicePrincipalCredentials(
    client_id='<client_id>',
    secret='<client_secret>',
    tenant='<tenant_id>'
)

# Create compute and resource management clients
compute_client = ComputeManagementClient(credentials, subscription_id)
resource_client = ResourceManagementClient(credentials, subscription_id)

# Get the resource ID of the disk
disk = compute_client.disks.get(resource_group_name, disk_name)
disk_id = disk.id

# Get the resource ID of the encryption set
encryption_set = resource_client.resources.get_by_id(encryption_set_name, api_version='2019-04-01')
encryption_set_id = encryption_set.id

# Create encryption set parameters
encryption_set_params = DiskEncryptionSetParameters(
    identity=EncryptionSetIdentity(
        type='DiskEncryptionSetIdentity',
        resource_id=encryption_set_id
    )
)

# Update the disk with encryption set parameters
compute_client.disks.update(
    resource_group_name=resource_group_name,
    disk_name=disk_name,
    disk_encryption_set=encryption_set_params
)
  1. Replace the placeholders <subscription_id>, <resource_group_name>, <disk_name>, <encryption_set_name>, <client_id>, <client_secret>, and <tenant_id> with the appropriate values.
  2. Run the Python script to enable Server Side Encryption for Unattached Disk using CMK in Azure.
Note: This code assumes that the disk and encryption set are in the same subscription and region. If they are in different subscriptions or regions, you will need to modify the code accordingly.