Ensure that string variables are encrypted for Azure Automation Variable

MEDIUM

Description

Azure Automation has the ability to share variable assets across runbooks and configurations. In doing so, it is considered best practice to encrypt these variables to ensure that sensitive information and intellectual property is protected. For more information on managing variables in Automation, see the Azure documentation.
References:
https://learn.microsoft.com/en-us/azure/automation/shared-resources/variables?tabs=azure-powershell

Remediation

Variables in Azure Automation Accounts cannot be encrypted after creation if they were created without encryption enabled. To create an encrypted variable, follow the steps below.

In Azure Console -

  1. Open the Azure Portal and go to Automation Accounts.
  2. Select the Automation Account you wish to edit.
  3. Under Shared Resources, choose Variables.
  4. Add a new variable.
  5. Ensure Encrypted is set to Yes.

In Terraform -

  1. In the azurerm_automation_variable_string resource, set the encrypted field to true.

References:
https://learn.microsoft.com/en-us/azure/automation/
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/automation_variable_string

Policy Details

Rule Reference ID: AC_AZURE_0317
CSP: Azure
Remediation Available: Yes
Resource Category: Management
Resource Type: Automation

Frameworks