Ensure managed disks use a specific set of disk encryption sets for customer-managed key encryption

Error: Managed disks do not use a specific set of disk encryption sets for customer-managed key encryption

Bridgecrew Policy ID: BC_AZR_GENERAL_29
Checkov Check ID: CKV_AZURE_93
Severity: LOW

Managed disks do not use a specific set of disk encryption sets for customer-managed key encryption

Description

Requiring a specific set of disk encryption sets to be used with managed disks give you control over the keys used for encryption at rest. You are able to select the allowed encrypted sets and all others are rejected when attached to a disk.

Fix - Buildtime

Terraform

  • Resource: azurerm_managed_disk
  • Argument: disk_encryption_set_id
resource "azurerm_managed_disk" "source" {
              name                 = "acctestmd1"
              location             = "West US 2"
              resource_group_name  = azurerm_resource_group.example.name
              storage_account_type = "Standard_LRS"
              create_option        = "Empty"
              disk_size_gb         = "1"
+             disk_encryption_set_id = "koko"
              tags = {
                environment = "staging"
              }
            }