Ensure Alibaba Cloud Disk is encrypted
Error: Alibaba Cloud Disk encryption is disabled
Bridgecrew Policy ID: BC_ALI_GENERAL_6
Checkov Check ID: CKV_ALI_7
Severity: MEDIUM
Alibaba Cloud Disk encryption is disabled
Description
This policy identifies disks for which encryption is disabled. As a best practice enable disk encryption to improve data security without making changes to your business or applications. Snapshots created from encrypted disks and new disks created from these snapshots are automatically encrypted.
Fix - Runtime
Alibaba Cloud Portal
Alibaba Cloud disk can only be encrypted at the time of disk creation. So to resolve this alert, create a new disk with encryption and then migrate all required disk data from the reported disk to this newly created disk.
To create an Alibaba Cloud disk with encryption:
- Log in to Alibaba Cloud Portal
- Go to Elastic Compute Service
- In the left-side navigation pane, click on 'Disks' which is under 'Storage & Snapshots'\n4. Click on 'Create Disk'
- Check the 'Disk Encryption' box in the 'Disk' section
- Click on 'Preview Order' make sure parameters are chosen correctly
- Click on 'Create', After you create a disk, attach that disk to other resources per your requirements.
Fix - Buildtime
Terraform
resource "alicloud_disk" "pass" {
# cn-beijing
description = "Hello ecs disk."
category = "cloud_efficiency"
size = "30"
encrypted = true
kms_key_id = "2a6767f0-a16c-1234-5678-13bf*****"
tags = {
Name = "TerraformTest"
}
}
Updated about 2 months ago