Ensure Virtual Machine scale sets have encryption at host enabled

Error: Virtual Machine scale sets do not have encryption at host enabled

Bridgecrew Policy ID: BC_AZR_GENERAL_31
Checkov Check ID: CKV_AZURE_97
Severity: LOW

Virtual Machine scale sets do not have encryption at host enabled

Description

Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk.

Fix - Buildtime

Terraform

  • Resource: azurerm_windows_virtual_machine_scale_set
  • Argument: encryption_at_host_enabled
resource "azurerm_windows_virtual_machine_scale_set" "example" {
                  ...
  +               encryption_at_host_enabled = true
                  ...
                  }