Revised diskByokEncryptionEnabled

aquasecurity · Nov 6, 2024 · 1f88dda · 1f88dda
1 parent 3d86c5d
commit 1f88dda
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 11 deletions.
diff --git a/plugins/azure/virtualmachines/diskByokEncryptionEnabled.js b/plugins/azure/virtualmachines/diskByokEncryptionEnabled.js
@@ -1,13 +1,13 @@
 var async = require('async');
 
-var helpers = require('../../../helpers/azure/');
+var helpers = require('../../../helpers/azure');
 
 module.exports = {
-    title: 'Disk Volumes BYOK Encryption Enabled',
+    title: 'Attached Disk Volumes BYOK Encryption Enabled',
     category: 'Virtual Machines',
     domain: 'Compute',
     severity: 'High',
-    description: 'Ensures that Azure virtual machine disks have BYOK (Customer-Managed Key) encryption enabled.',
+    description: 'Ensures that attached Azure virtual machine disks have BYOK (Customer-Managed Key) encryption enabled.',
     more_info: 'Encrypting virtual machine disk volumes helps protect and safeguard your data to meet organizational security and compliance commitments.',
     recommended_action: 'Ensure that virtual machine disks are created using BYOK encryption',
     link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault',
@@ -35,13 +35,15 @@ module.exports = {
             }
 
             async.each(disks.data, function(disk, scb) {
-                if (disk.encryption && disk.encryption.type &&
-                    (disk.encryption.type === 'EncryptionAtRestWithCustomerKey' ||
-                    disk.encryption.type === 'EncryptionAtRestWithPlatformAndCustomerKeys')) {
-                    helpers.addResult(results, 0, 'Disk volume has BYOK encryption enabled', location, disk.id);
-                } else {
-                    helpers.addResult(results, 2, 'Disk volume has BYOK encryption disabled', location, disk.id);
-                }
+                if (disk.diskState && disk.diskState.toLowerCase() === 'attached') {
+                    if (disk.encryption && disk.encryption.type &&
+                        (disk.encryption.type === 'EncryptionAtRestWithCustomerKey' ||
+                        disk.encryption.type === 'EncryptionAtRestWithPlatformAndCustomerKeys')) {
+                        helpers.addResult(results, 0, 'Disk volume has BYOK encryption enabled', location, disk.id);
+                    } else {
+                        helpers.addResult(results, 2, 'Disk volume has BYOK encryption disabled', location, disk.id);
+                    }
+                }        
                 scb();
             }, function() {
                 rcb();

diff --git a/plugins/azure/virtualmachines/diskByokEncryptionEnabled.spec.js b/plugins/azure/virtualmachines/diskByokEncryptionEnabled.spec.js
@@ -7,15 +7,17 @@ const disks = [
         'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Compute/disks/test',
         'type': 'Microsoft.Compute/disks',
         'location': 'eastus',
+        'diskState': 'Attached',
         'encryption': {
             'type': 'EncryptionAtRestWithPlatformKey'
         }
     },
     {
         'name': 'test',
         'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Compute/disks/test',
-        'type': 'Microsoft.Compute/disks',
+        'type': 'Microsoft.Compute/daisks',
         'location': 'eastus',
+        'diskState': 'Attached',
         'encryption': {
             'type': 'EncryptionAtRestWithCustomerKey',
             'diskEncryptionSetId': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/diskEncryptionSets/test-encrypt-set'
@@ -26,10 +28,21 @@ const disks = [
         'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Compute/disks/test',
         'type': 'Microsoft.Compute/disks',
         'location': 'eastus',
+        'diskState': 'Attached',
         'encryption': {
             'type': 'EncryptionAtRestWithPlatformAndCustomerKeys',
             'diskEncryptionSetId': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/diskEncryptionSets/test-encrypt-set'
         }
+    },
+    {
+        'name': 'test',
+        'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Compute/disks/test',
+        'type': 'Microsoft.Compute/disks',
+        'location': 'eastus',
+        'diskState': 'Unattached',
+        'encryption': {
+            'type': 'EncryptionAtRestWithPlatformKey'
+        }
     }
 ];