Ensure that your Azure virtual machine disk volumes are using customer-managed keys (also known as Bring Your Own Keys - BYOKs) instead of service-managed keys (default keys used by Microsoft Azure for disk encryption), in order to have a more granular control over your VM data encryption/decryption process.
PoC代码[已公开]
id: azure-vm-byok-disk-volumes-not-enabled
info:
name: Azure VM Disk Volumes BYOK Encryption Not Enabled
author: princechaddha
severity: high
description: |
Ensure that your Azure virtual machine disk volumes are using customer-managed keys (also known as Bring Your Own Keys - BYOKs) instead of service-managed keys (default keys used by Microsoft Azure for disk encryption), in order to have a more granular control over your VM data encryption/decryption process.
impact: |
Using service-managed keys for disk encryption could limit your control over encryption keys and the security of your data.
remediation: |
Configure your VM disk volumes to use customer-managed keys (BYOK) to ensure better security and control over your data encryption and decryption processes.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys
tags: cloud,devops,azure,microsoft,virtual-machine,azure-cloud-config
flow: |
code(1);
for (let VmData of iterate(template.vmList)) {
VmData = JSON.parse(VmData);
set("ids", VmData.id);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vm list --query '[*].{"id":id}'
extractors:
- type: json
name: vmList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az vm encryption show --ids "$ids" --query 'disks[*].encryptionSettings[*].keyEncryptionKey.keyUrl'
matchers:
- type: word
part: stderr
words:
- "Azure Disk Encryption is not enabled"
extractors:
- type: dsl
dsl:
- 'ids + " is not using BYOK for disk encryption"'
# digest: 4a0a0047304502201e3e3f2ef89cc5446cdb6216b43dce53420b938647afb4782b4810e1ce84ad81022100de1b06e236b835b4567e41a29255f78b68c1ab99db53810c5d7471fd79e56247:922c64590222798bb761d5b6d8e72950