56 lines
1.9 KiB
YAML
56 lines
1.9 KiB
YAML
id: azure-vm-web-tier-disk-unencrypted
|
|
info:
|
|
name: Azure VM Web-Tier Disk Volumes Not Encrypted
|
|
author: princechaddha
|
|
severity: high
|
|
description: |
|
|
Ensure that all the disk volumes attached to the Microsoft Azure virtual machines (VMs) launched within the web tier are encrypted to meet security and compliance requirements. This rule assumes all Azure cloud resources in the web tier are tagged with <web_tier_tag>:<web_tier_tag_value>. Tags must be configured on the Cloud Conformity dashboard prior to running this check.
|
|
impact: |
|
|
Unencrypted disk volumes can lead to data breaches and non-compliance with security standards, exposing sensitive information.
|
|
remediation: |
|
|
Enable encryption for all disk volumes attached to VMs within the Azure web tier to enhance data security and comply with regulatory requirements.
|
|
reference:
|
|
- https://docs.microsoft.com/en-us/azure/virtual-machines/linux/encrypt-disks
|
|
tags: cloud,devops,azure,microsoft,azure-vm,azure-cloud-config
|
|
|
|
flow: |
|
|
code(1);
|
|
for (let VmData of iterate(template.vmList)) {
|
|
VmData = JSON.parse(VmData);
|
|
set("ids", VmData.Id);
|
|
code(2);
|
|
}
|
|
|
|
self-contained: true
|
|
code:
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
az vm list --query '[?(tags.web_tier_tag == "web_tier_tag_value")].{"Id":id}'
|
|
|
|
extractors:
|
|
- type: json
|
|
name: vmList
|
|
internal: true
|
|
json:
|
|
- '.[]'
|
|
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
az vm encryption show --ids "$ids" --query 'disks'
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: stderr
|
|
words:
|
|
- 'Azure Disk Encryption is not enabled'
|
|
|
|
extractors:
|
|
- type: dsl
|
|
dsl:
|
|
- 'ids + " in " + " is not encrypted"'
|
|
# digest: 4a0a00473045022020b633bdaaa988b3d8dd91454e25deec649c7f31fb0d6f46e677de8eb8550f24022100db22b6a4c0f1e433f1089be6b1817072ed62de0a5315c43aaf3f77858f5dfb9d:922c64590222798bb761d5b6d8e72950 |