last sync: 2021-May-10 15:04:35 UTC

Azure Policy definition

Managed disks should be double encrypted with both platform-managed and customer-managed keys

Name Managed disks should be double encrypted with both platform-managed and customer-managed keys
Azure Portal
Id ca91455f-eace-4f96-be59-e6e2c35b4816
Version 1.0.0
details on versioning
Category Compute
Microsoft docs
Description High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: Audit
Allowed: (Audit, Deny, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-03-02 15:11:40 add ca91455f-eace-4f96-be59-e6e2c35b4816
Used in Initiatives none
JSON
{
  "properties": {
    "displayName": "Managed disks should be double encrypted with both platform-managed and customer-managed keys",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption.",
    "metadata": {
      "category": "Compute",
      "version": "1.0.0"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/diskEncryptionSets"
          },
          {
            "field": "Microsoft.Compute/diskEncryptionSets/encryptionType",
            "notEquals": "EncryptionAtRestWithPlatformAndCustomerKeys"
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ca91455f-eace-4f96-be59-e6e2c35b4816"
}