Detections
Analytics

Ensure encryption is configured for Azure Kubernetes Cluster using a customer managed key

MEDIUM

Description

Azure Kubernetes clusters are built with encryption enabled on all storage by default using Microsoft-managed keys. It is considered best practice to provide customer managed keys for encrypting data at rest. For more information on using customer managed keys in AKS, see the Azure documentation.
References:
https://learn.microsoft.com/en-us/azure/aks/azure-disk-customer-managed-keys

Remediation

The encryption profile of an AKS cluster cannot be changed once it has been created. A disk encryption set will need to be configured prior to use. To create new resources with the appropriate settings, follow the steps below.

In Azure Console -
For a disk encryption set:

  1. Open the Azure Portal and go to Disk encryption sets.
  2. Create a new disk encryption set with the correct Azure key vault key.

To use the disk encryption set in AKS:

  1. Open the Azure Portal and go to Kubernetes Services.
  2. Click the Create button and select Create a Kubernetes Cluster.
  3. Configure as needed. On the Node Pools tab, under Node pool OS disk encryption, set the drop down to use a customer-managed key.
  4. Choose the disk encryption set to use.

In Terraform -

  1. In the azurerm_kubernetes_cluster resource, set disk_encryption_set_id to the ID of the disk encryption set.

References:
https://learn.microsoft.com/en-us/azure/aks/azure-disk-customer-managed-keys
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#disk_encryption_set_id

Policy Details

Rule Reference ID: AC_AZURE_0155
CSP: Azure
Remediation Available: Yes
Domain: Data Protection
Resource: azurerm_kubernetes_cluster
Resource Category: Compute
Resource Type: Azure Kubernetes Service (AKS)

Frameworks