Query: Unattached Compute disks should be encrypted with ADE/CMK

Description

This policy identifies the disks which are unattached and are encrypted with default encryption instead of ADE/CMK. Azure encrypts disks by default Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK]. It is recommended to use either SSE with Azure Disk Encryption [SSE with PMK+ADE] or Customer Managed Key [SSE with CMK] which improves on platform-managed keys by giving you control of the encryption keys to meet your compliance need.

Query

Tables used in this query:

• azure_compute_disk
• azure_subscription

Controls using this query:

• Unattached Compute disks should be encrypted with ADE/CMK

SQL