Governance Policies Azure Compute Disk Encryption Set - Azure/az-prototype GitHub Wiki
Governance policies for Disk Encryption Set
Domain: azure-compute
| Name | Description |
|---|---|
| Disk Encryption Set with CMK and auto-rotation | Customer-managed key encryption with automatic key rotation |
| Description | Instead |
|---|---|
| Do not rely solely on platform-managed encryption when compliance requires CMK | Deploy a Disk Encryption Set with customer-managed keys from Key Vault |
| Do not store encryption keys in the same Key Vault as application secrets | Use a dedicated Key Vault for disk encryption keys with restricted access |
| Check | Severity | Description |
|---|---|---|
| AZ-DES-001 | Required | Create Disk Encryption Set with customer-managed key from Key Vault |
| AZ-DES-002 | Required | Grant the Disk Encryption Set identity access to the Key Vault |
| AZ-DES-003 | Required | Enable automatic key rotation to latest key version |
| AZ-DES-004 | Recommended | Use EncryptionAtRestWithPlatformAndCustomerKeys for double encryption |
Create Disk Encryption Set with customer-managed key from Key Vault
Severity: Required
Rationale: Customer-managed keys (CMK) provide control over encryption keys and meet compliance requirements
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Compute/diskEncryptionSets
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.KeyVault/vaults | kv-cmk | Key Vault with purge protection enabled for storing CMK encryption keys |
| Microsoft.KeyVault/vaults/keys | des-cmk-key | RSA 2048-bit or higher encryption key for Disk Encryption Set |
| Microsoft.Authorization/roleAssignments | Key Vault Crypto Service Encryption User | Grants DES identity permission to use Key Vault encryption keys |
Grant the Disk Encryption Set identity access to the Key Vault
Severity: Required
Rationale: Without Key Vault access, the DES cannot retrieve the encryption key and disk operations will fail
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Compute/diskEncryptionSets
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Compute/diskEncryptionSets | des-cmk | Disk Encryption Set with system-assigned identity for Key Vault access |
| Microsoft.KeyVault/vaults | kv-cmk | Key Vault with RBAC authorization for DES key access |
Enable automatic key rotation to latest key version
Severity: Required
Rationale: Manual key rotation risks service disruption if keys expire; automatic rotation ensures continuity
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Compute/diskEncryptionSets
Use EncryptionAtRestWithPlatformAndCustomerKeys for double encryption
Severity: Recommended
Rationale: Double encryption uses both platform-managed and customer-managed keys for defense in depth
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.Compute/diskEncryptionSets
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.KeyVault/vaults | kv-cmk | Key Vault with purge protection for double-encryption keys |
| Microsoft.KeyVault/vaults/keys | des-double-enc-key | RSA encryption key for platform-and-customer double encryption |