AzPolicyAdvertizer

last sync: 2025-Apr-29 17:16:02 UTC

[Preview]: Azure Stack HCI systems should have encrypted volumes

Azure BuiltIn Policy definition

Source Azure Portal
Display name [Preview]: Azure Stack HCI systems should have encrypted volumes
Id ee8ca833-1583-4d24-837e-96c2af9488a4
Version 1.0.0-preview
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.0-preview
Built-in Versioning [Preview]
Category Stack HCI
Microsoft Learn
Description Use BitLocker to encrypt the OS and data volumes on Azure Stack HCI systems.
Cloud environments AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown
Available in AzUSGov Unknown, no evidence if Policy definition is/not available in AzureUSGovernment
Assessment(s) Assessments count: 1
Assessment Id: 3ae946fb-cc91-4074-aa0d-09f0a09751fe
DisplayName: Azure Local instances should have encrypted volumes
Description: Use BitLocker to encrypt the OS and data volumes on Azure Local instances.
Remediation description: To enable Bitlocker encryption on cluster volumes:
1. From the Azure Local instance page, go to Windows Admin Center and select Connect.
2. To encrypt OS boot volumes, go to the Security extension and select Azure Local system security.
3. Select Bitlocker for OS boot nodes and click Enable.
4. For cluster data volumes, go to the Volumes tool and select the Inventory tab.
5. Select an individual volume and click Settings.
6. Check the Use encryption checkbox in the Encryption section and click Save.
Categories: Data
Severity: High
User impact: High
Threats: DataExfiltration
preview: True
Mode Indexed
Type BuiltIn
Preview True
Deprecated False
Effect Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists
RBAC role(s) none
Rule aliases IF (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.AzureStackHCI/clusters/reportedProperties.clusterVersion Microsoft.AzureStackHCI clusters properties.reportedProperties.clusterVersion True False
THEN-ExistenceCondition (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.AzureStackHCI/clusters/securitySettings/securityComplianceStatus.dataAtRestEncrypted Microsoft.AzureStackHCI clusters/securitySettings properties.securityComplianceStatus.dataAtRestEncrypted True False
Rule resource types IF (1)
Compliance
The following 2 compliance controls are associated with this Policy definition '[Preview]: Azure Stack HCI systems should have encrypted volumes' (ee8ca833-1583-4d24-837e-96c2af9488a4)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 DP-5 Azure_Security_Benchmark_v3.0_DP-5 Microsoft cloud security benchmark DP-5 Data Protection Use customer-managed key option in data at rest encryption when required Shared **Security Principle:** If required for regulatory compliance, define the use case and service scope where customer-managed key option is needed. Enable and implement data at rest encryption using customer-managed key in services. **Azure Guidance:** Azure also provides encryption option using keys managed by yourself (customer-managed keys) for certain services. However, using customer-managed key option requires additional operational efforts to manage the key lifecycle. This may include encryption key generation, rotation, revoke and access control, etc. **Implementation and additional context:** Encryption model and key management table: https://docs.microsoft.com/azure/security/fundamentals/encryption-models Services that support encryption using customer-managed key: https://docs.microsoft.com/azure/security/fundamentals/encryption-models#supporting-services How to configure customer managed encryption keys in Azure Storage: https://docs.microsoft.com/azure/storage/common/storage-encryption-keys-portal n/a link 10
U.05.2 - Cryptographic measures U.05.2 - Cryptographic measures 404 not found n/a n/a 53
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn true
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-03-01 17:50:27 add ee8ca833-1583-4d24-837e-96c2af9488a4
JSON compare n/a
JSON
api-version=2021-06-01
EPAC