From c2f51464c006b620de1699d9882aee2d7659ba27 Mon Sep 17 00:00:00 2001 From: AkhtarAmir Date: Wed, 6 Nov 2024 15:25:22 +0500 Subject: [PATCH 1/6] Revised unAttachedDiskByokEncryptionEnabled --- exports.js | 1 + .../unAttachedDiskByokEncryptionEnabled.js | 53 +++++++++++ ...nAttachedDiskByokEncryptionEnabled.spec.js | 88 +++++++++++++++++++ 3 files changed, 142 insertions(+) create mode 100644 plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js create mode 100644 plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.spec.js diff --git a/exports.js b/exports.js index dcbf2a3dbb..a3f0ea0b64 100644 --- a/exports.js +++ b/exports.js @@ -792,6 +792,7 @@ module.exports = { 'vmDiskHasTags' : require(__dirname + '/plugins/azure/virtualmachines/vmDiskHasTags.js'), 'snapshotHasTags' : require(__dirname + '/plugins/azure/virtualmachines/snapshotHasTags.js'), 'unattachedDiskWithDefaultEncryption': require(__dirname + '/plugins/azure/virtualmachines/unattachedDiskWithDefaultEncryption.js'), + 'unAttachedDiskByokEncryptionEnabled': require(__dirname + '/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js'), 'snapshotPublicAccessDisabled' : require(__dirname + '/plugins/azure/virtualmachines/snapshotPublicAccessDisabled.js'), 'snapshotByokEncryptionEnabled' : require(__dirname + '/plugins/azure/virtualmachines/snapshotByokEncryptionEnabled.js'), 'systemAssignedIdentityEnabled' : require(__dirname + '/plugins/azure/virtualmachines/systemAssignedIdentityEnabled.js'), diff --git a/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js b/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js new file mode 100644 index 0000000000..d1bb2a1c47 --- /dev/null +++ b/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js @@ -0,0 +1,53 @@ +var async = require('async'); + +var helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Unattached Disk Volumes with Default Encryption', + category: 'Virtual Machines', + domain: 'Compute', + severity: 'Medium', + description: 'Ensures that no default encrypted Azure virtual machine disks are in unattached state.', + more_info: 'Encrypting virtual machine disk volumes helps protect and safeguard your data to meet organizational security and compliance commitments. Having unattached disks with default encryption type can lead to data leakage.', + recommended_action: 'Delete remove unattached disks or enable BYOK encryption for them.', + link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault', + apis: ['disks:list'], + realtime_triggers: ['microsoftcompute:disks:write', 'microsoftcompute:disks:delete'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.disks, function(location, rcb) { + + var disks = helpers.addSource(cache, source, ['disks', 'list', location]); + + if (!disks) return rcb(); + + if (disks.err || !disks.data) { + helpers.addResult(results, 3, 'Unable to query for VM disk volumes: ' + helpers.addError(disks), location); + return rcb(); + } + if (!disks.data.length) { + helpers.addResult(results, 0, 'No existing VM disk volumes found', location); + return rcb(); + } + + for (let disk of disks.data) { + if (!disk.id) continue; + + if (disk.encryption && disk.encryption.type && + disk.encryption.type === 'EncryptionAtRestWithPlatformKey' && + disk.diskState && disk.diskState.toLowerCase() === 'unattached') { + helpers.addResult(results, 2, 'Disk volume is unattached and encrypted with default encryption key', location, disk.id); + } else { + helpers.addResult(results, 0, 'Disk volume is attached or encrypted with BYOK', location, disk.id); + } + } + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.spec.js b/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.spec.js new file mode 100644 index 0000000000..c6a55fea04 --- /dev/null +++ b/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.spec.js @@ -0,0 +1,88 @@ +var expect = require('chai').expect; +var diskUnattachedAndDefaultEncryption = require('./unattachedDiskWithDefaultEncryption'); + +const disks = [ + { + 'name': 'test', + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Compute/disks/test', + 'type': 'Microsoft.Compute/disks', + 'location': 'eastus', + 'encryption': { + 'type': 'EncryptionAtRestWithCustomerKey' + }, + 'diskState': 'Reserved' + }, + { + 'name': 'test', + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Compute/disks/test', + 'type': 'Microsoft.Compute/disks', + 'location': 'eastus', + 'encryption': { + 'type': 'EncryptionAtRestWithPlatformKey', + 'diskEncryptionSetId': '/subscriptions/123/resourceGroups/AQUA-RESOURCE-GROUP/providers/Microsoft.Compute/diskEncryptionSets/test-encrypt-set' + }, + 'diskState': 'unattached' + } +]; + +const createCache = (disks) => { + const disk = {}; + if (disks) { + disk['data'] = disks; + } + return { + disks: { + list: { + 'eastus': disk + } + } + }; +}; + +describe('diskUnattachedAndDefaultEncryption', function() { + describe('run', function() { + it('should give passing result if no disk volumes found', function(done) { + const cache = createCache([]); + diskUnattachedAndDefaultEncryption.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing VM disk volumes found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give unknown result if unable to query for disk volumes', function(done) { + const cache = createCache(); + diskUnattachedAndDefaultEncryption.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for VM disk volumes'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if Disk volume is unattached and encrypted with default encryption key', function(done) { + const cache = createCache([disks[1]]); + diskUnattachedAndDefaultEncryption.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Disk volume is unattached and encrypted with default encryption key'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give passing result if Disk volume is attached or encrypted with BYO', function(done) { + const cache = createCache([disks[0]]); + diskUnattachedAndDefaultEncryption.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Disk volume is attached or encrypted with BYOK'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + }); +}); \ No newline at end of file From c1004a29d8fc4990e1c6e18887207d2fa3fe31f2 Mon Sep 17 00:00:00 2001 From: AkhtarAmir <31914988+AkhtarAmir@users.noreply.github.com> Date: Thu, 7 Nov 2024 18:23:29 +0500 Subject: [PATCH 2/6] Apply suggestions from code review suggested changes Co-authored-by: Fatima <66124862+fatima99s@users.noreply.github.com> --- .../unAttachedDiskByokEncryptionEnabled.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js b/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js index d1bb2a1c47..83280be52f 100644 --- a/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js +++ b/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js @@ -3,11 +3,11 @@ var async = require('async'); var helpers = require('../../../helpers/azure'); module.exports = { - title: 'Unattached Disk Volumes with Default Encryption', + title: 'Unattached Disk Volumes BYOK Encryption Enabled', category: 'Virtual Machines', domain: 'Compute', severity: 'Medium', - description: 'Ensures that no default encrypted Azure virtual machine disks are in unattached state.', + description: 'Ensures that unattached Azure virtual machine disks have BYOK (Customer-Managed Key) encryption enabled.', more_info: 'Encrypting virtual machine disk volumes helps protect and safeguard your data to meet organizational security and compliance commitments. Having unattached disks with default encryption type can lead to data leakage.', recommended_action: 'Delete remove unattached disks or enable BYOK encryption for them.', link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault', @@ -40,9 +40,9 @@ module.exports = { if (disk.encryption && disk.encryption.type && disk.encryption.type === 'EncryptionAtRestWithPlatformKey' && disk.diskState && disk.diskState.toLowerCase() === 'unattached') { - helpers.addResult(results, 2, 'Disk volume is unattached and encrypted with default encryption key', location, disk.id); + helpers.addResult(results, 2, ' Unattached disk volume has BYOK encryption disabled', location, disk.id); } else { - helpers.addResult(results, 0, 'Disk volume is attached or encrypted with BYOK', location, disk.id); + helpers.addResult(results, 0, 'Unattached disk volume has BYOK encryption enabled', location, disk.id); } } rcb(); From e22c5e17f8719cabfbab596ff76908d6975c0067 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Fri, 8 Nov 2024 22:22:00 +0500 Subject: [PATCH 3/6] Update unAttachedDiskByokEncryptionEnabled.js --- .../unAttachedDiskByokEncryptionEnabled.js | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js b/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js index 83280be52f..fc5ea47bf0 100644 --- a/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js +++ b/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js @@ -36,18 +36,17 @@ module.exports = { for (let disk of disks.data) { if (!disk.id) continue; - - if (disk.encryption && disk.encryption.type && - disk.encryption.type === 'EncryptionAtRestWithPlatformKey' && - disk.diskState && disk.diskState.toLowerCase() === 'unattached') { - helpers.addResult(results, 2, ' Unattached disk volume has BYOK encryption disabled', location, disk.id); - } else { - helpers.addResult(results, 0, 'Unattached disk volume has BYOK encryption enabled', location, disk.id); + if (disk.diskState && disk.diskState.toLowerCase() === 'unattached') { + if (disk.encryption && disk.encryption.type && + disk.encryption.type === 'EncryptionAtRestWithPlatformKey') { + helpers.addResult(results, 2, 'Unattached disk volume has BYOK encryption disabled', location, disk.id); + } else { + helpers.addResult(results, 0, 'Unattached disk volume has BYOK encryption enabled', location, disk.id); + } } - } rcb(); }, function() { callback(null, results, source); }); } -}; \ No newline at end of file +}; From bafe1d4ad0b884135c11660b3729cb5e9587cf97 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Fri, 8 Nov 2024 22:26:07 +0500 Subject: [PATCH 4/6] Update unAttachedDiskByokEncryptionEnabled.js --- .../azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js b/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js index fc5ea47bf0..5ba05ad0d6 100644 --- a/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js +++ b/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js @@ -44,6 +44,7 @@ module.exports = { helpers.addResult(results, 0, 'Unattached disk volume has BYOK encryption enabled', location, disk.id); } } + }, rcb(); }, function() { callback(null, results, source); From 9c3ee5679268238ed2afbda0e96e5360b1c5b469 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Fri, 8 Nov 2024 22:28:35 +0500 Subject: [PATCH 5/6] Update unAttachedDiskByokEncryptionEnabled.js --- .../virtualmachines/unAttachedDiskByokEncryptionEnabled.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js b/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js index 5ba05ad0d6..56dd387336 100644 --- a/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js +++ b/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js @@ -44,7 +44,7 @@ module.exports = { helpers.addResult(results, 0, 'Unattached disk volume has BYOK encryption enabled', location, disk.id); } } - }, + } rcb(); }, function() { callback(null, results, source); From 42114e333616fde49491a41621e5f5d54faef015 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Fri, 8 Nov 2024 22:33:29 +0500 Subject: [PATCH 6/6] Apply suggestions from code review --- .../unAttachedDiskByokEncryptionEnabled.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js b/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js index 56dd387336..ed2663b9fa 100644 --- a/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js +++ b/plugins/azure/virtualmachines/unAttachedDiskByokEncryptionEnabled.js @@ -37,12 +37,12 @@ module.exports = { for (let disk of disks.data) { if (!disk.id) continue; if (disk.diskState && disk.diskState.toLowerCase() === 'unattached') { - if (disk.encryption && disk.encryption.type && + if (disk.encryption && disk.encryption.type && disk.encryption.type === 'EncryptionAtRestWithPlatformKey') { - helpers.addResult(results, 2, 'Unattached disk volume has BYOK encryption disabled', location, disk.id); - } else { - helpers.addResult(results, 0, 'Unattached disk volume has BYOK encryption enabled', location, disk.id); - } + helpers.addResult(results, 2, 'Unattached disk volume has BYOK encryption disabled', location, disk.id); + } else { + helpers.addResult(results, 0, 'Unattached disk volume has BYOK encryption enabled', location, disk.id); + } } } rcb();