Ensure Azure Virtual Machines are utilizing managed disks

Error: Azure Virtual Machines are not utilizing managed disks

Bridgecrew Policy ID: BC_AZR_GENERAL_75
Checkov Check ID: CKV2_AZURE_9
Severity: LOW

Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include

  1. Default Disk Encryption
  2. Resilience as Microsoft will managed the disk storage and move around if
    underlying hardware goes faulty
  3. Reduction of costs over storage accounts

Managed disks are by default encrypted on the underlying hardware so no additional encryption is required for basic protection, it is available if additional encryption is required. Managed disks are by design more resilient that storage accounts.
For ARM deployed Virtual Machines, Azure Adviser will at some point recommend moving VHD's to managed disks both from a security and cost management perspective.

Fix - Buildtime


  • Resource: azurerm_virtual_machine
resource "azurerm_virtual_machine" "virtual_machine_good" {
  name                  = "my-vm"
  location              = "location"
  resource_group_name   = "group_name"
  network_interface_ids = ["1234567"]
  vm_size               = "Standard_DS1_v2"

  storage_image_reference {
    publisher = "Canonical"
    offer     = "UbuntuServer"
    sku       = "16.04-LTS"
    version   = "latest"
  storage_os_disk {
    name              = "myosdisk1"
    caching           = "ReadWrite"
    create_option     = "FromImage"
    managed_disk_type = "Standard_LRS"
  os_profile {
    computer_name  = "hostname"
    admin_username = "testadmin"
    admin_password = "Password1234!"
  os_profile_linux_config {
    disable_password_authentication = false
  tags = {
    environment = "staging"