Ensure Alibaba Cloud Disk is encrypted

Error: Alibaba Cloud Disk encryption is disabled

Bridgecrew Policy ID: BC_ALI_GENERAL_6
Checkov Check ID: CKV_ALI_7
Severity: MEDIUM

Alibaba Cloud Disk encryption is disabled

Description

This policy identifies disks for which encryption is disabled. As a best practice enable disk encryption to improve data security without making changes to your business or applications. Snapshots created from encrypted disks and new disks created from these snapshots are automatically encrypted.

Fix - Runtime

Alibaba Cloud Portal

Alibaba Cloud disk can only be encrypted at the time of disk creation. So to resolve this alert, create a new disk with encryption and then migrate all required disk data from the reported disk to this newly created disk.
To create an Alibaba Cloud disk with encryption:

  1. Log in to Alibaba Cloud Portal
  2. Go to Elastic Compute Service
  3. In the left-side navigation pane, click on 'Disks' which is under 'Storage & Snapshots'\n4. Click on 'Create Disk'
  4. Check the 'Disk Encryption' box in the 'Disk' section
  5. Click on 'Preview Order' make sure parameters are chosen correctly
  6. Click on 'Create', After you create a disk, attach that disk to other resources per your requirements.

Fix - Buildtime

Terraform

resource "alicloud_disk" "pass" {
  # cn-beijing
  description = "Hello ecs disk."
  category    = "cloud_efficiency"
  size        = "30"
  encrypted   = true
  kms_key_id  = "2a6767f0-a16c-1234-5678-13bf*****"
  tags = {
    Name = "TerraformTest"
  }
}