diff --git a/plugins/azure/virtualmachines/diskByokEncryptionEnabled.js b/plugins/azure/virtualmachines/diskByokEncryptionEnabled.js index 8aba4aa1c5..cf1dbc60d9 100644 --- a/plugins/azure/virtualmachines/diskByokEncryptionEnabled.js +++ b/plugins/azure/virtualmachines/diskByokEncryptionEnabled.js @@ -1,13 +1,13 @@ var async = require('async'); -var helpers = require('../../../helpers/azure/'); +var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Disk Volumes BYOK Encryption Enabled', + title: 'Attached Disk Volumes BYOK Encryption Enabled', category: 'Virtual Machines', domain: 'Compute', severity: 'High', - description: 'Ensures that Azure virtual machine disks have BYOK (Customer-Managed Key) encryption enabled.', + description: 'Ensures that attached Azure virtual machine disks have BYOK (Customer-Managed Key) encryption enabled.', more_info: 'Encrypting virtual machine disk volumes helps protect and safeguard your data to meet organizational security and compliance commitments.', recommended_action: 'Ensure that virtual machine disks are created using BYOK encryption', link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault', @@ -35,13 +35,15 @@ module.exports = { } async.each(disks.data, function(disk, scb) { - if (disk.encryption && disk.encryption.type && - (disk.encryption.type === 'EncryptionAtRestWithCustomerKey' || - disk.encryption.type === 'EncryptionAtRestWithPlatformAndCustomerKeys')) { - helpers.addResult(results, 0, 'Disk volume has BYOK encryption enabled', location, disk.id); - } else { - helpers.addResult(results, 2, 'Disk volume has BYOK encryption disabled', location, disk.id); - } + if (disk.diskState && disk.diskState.toLowerCase() === 'attached') { + if (disk.encryption && disk.encryption.type && + (disk.encryption.type === 'EncryptionAtRestWithCustomerKey' || + disk.encryption.type === 'EncryptionAtRestWithPlatformAndCustomerKeys')) { + helpers.addResult(results, 0, 'Disk volume has BYOK encryption enabled', location, disk.id); + } else { + helpers.addResult(results, 2, 'Disk volume has BYOK encryption disabled', location, disk.id); + } + } scb(); }, function() { rcb(); diff --git a/plugins/azure/virtualmachines/diskByokEncryptionEnabled.spec.js b/plugins/azure/virtualmachines/diskByokEncryptionEnabled.spec.js index 6361478c08..ed4ed449c0 100644 --- a/plugins/azure/virtualmachines/diskByokEncryptionEnabled.spec.js +++ b/plugins/azure/virtualmachines/diskByokEncryptionEnabled.spec.js @@ -7,6 +7,7 @@ const disks = [ 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Compute/disks/test', 'type': 'Microsoft.Compute/disks', 'location': 'eastus', + 'diskState': 'Attached', 'encryption': { 'type': 'EncryptionAtRestWithPlatformKey' } @@ -14,8 +15,9 @@ const disks = [ { 'name': 'test', 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Compute/disks/test', - 'type': 'Microsoft.Compute/disks', + 'type': 'Microsoft.Compute/daisks', 'location': 'eastus', + 'diskState': 'Attached', 'encryption': { 'type': 'EncryptionAtRestWithCustomerKey', 'diskEncryptionSetId': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/diskEncryptionSets/test-encrypt-set' @@ -26,10 +28,21 @@ const disks = [ 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Compute/disks/test', 'type': 'Microsoft.Compute/disks', 'location': 'eastus', + 'diskState': 'Attached', 'encryption': { 'type': 'EncryptionAtRestWithPlatformAndCustomerKeys', 'diskEncryptionSetId': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/diskEncryptionSets/test-encrypt-set' } + }, + { + 'name': 'test', + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Compute/disks/test', + 'type': 'Microsoft.Compute/disks', + 'location': 'eastus', + 'diskState': 'Unattached', + 'encryption': { + 'type': 'EncryptionAtRestWithPlatformKey' + } } ];