Control: 7.3 Ensure that 'Unattached disks' are encrypted with CMK
Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). Managed disks are encrypted by default with Platform-managed keys. Using Customer- managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks which may lead to sensitive information disclosure and tampering.
- Using the search feature, go to
- Select the unattached
diskyou would like to encrypt.
- For the
Encryption type, select
Encryption at-rest with a customer-managed key.
Disk encryption setand click
steampipe check azure_compliance.control.cis_v130_7_3
This control uses a named query:compute_unattached_disk_encrypted_with_cmk