Ensure disk encryption is enabled for Azure Windows Virtual Machine Scale Set

MEDIUM

Description

Azure virtual machine storage should be encrypted to protect sensitive information. It is considered best practice to encrypt data at-rest in any environment that supports it, especially as it is often required for certain compliance frameworks or industry regulations.

Remediation

Once a Virtual Machine Scale Set is created in the console, the encryption at host setting cannot be changed. To create a resource with the correct settings, follow the steps below.

In Azure Console -

Open the Azure Portal and go to Virtual Machine Scale Sets.
Create a new Virtual Machine Scale Set.
Under Disks, for the VM disk encryption, check the box for Encryption at host.
Configure as needed.

In Terraform -

In the azurerm_windows_virtual_machine_scale_set resource, set encryption_at_host_enabled to true.

References:
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_virtual_machine_scale_set#encryption_at_host_enabled

Policy Details

Rule Reference ID: AC_AZURE_0349

CSP: Azure

Remediation Available: Yes

Domain: Data Protection

Resource: azurerm_windows_virtual_machine_scale_set

Resource Category: Compute

Resource Type: Virtual Machine

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
ISO-27001