AzPolicyAdvertizer

Azure Stack Edge

Azure Stack Edge devices should use double-encryption

To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device.

BuiltIn

False

2022-04-01

1.1.0

AzureCloud:true
AzureChinaCloud:unknown
AzureUSGovernment:true

1.1.0
parity:true

Indexed

allowed: 'audit', 'Audit', 'deny', 'Deny', 'disabled', 'Disabled'
default: 'Audit'

Used in 8 Policy Set(s):
• CMMC 2.0 Level 2 (4e50fd13-098b-3206-61d6-d1d78205cb45) [Regulatory Compliance] BuiltIn
• EU General Data Protection Regulation (GDPR) 2016/679 (7326812a-86a4-40c8-af7c-8945de9c4913) [Regulatory Compliance] BuiltIn
• FedRAMP High (d5264498-16f4-418a-b659-fa7ef418175f) [Regulatory Compliance] BuiltIn
• FedRAMP Moderate (e95f5a9f-57ad-4d03-bb0b-b1d16db93693) [Regulatory Compliance] BuiltIn
• K ISMS P 2023 (e0782c37-30da-4a78-9f92-50bfe7aa2553) [Regulatory Compliance] BuiltIn
• NIST SP 800-171 Rev. 2 (03055927-78bd-4236-86c0-f36125a10dc9) [Regulatory Compliance] BuiltIn
• NIST SP 800-53 Rev. 4 (cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f) [Regulatory Compliance] BuiltIn
• NIST SP 800-53 Rev. 5 (179d1daa-458f-4e47-8086-2a68d0d6c38f) [Regulatory Compliance] BuiltIn

Uses 1 Fx/Operator(s):
• parameters()

if (1)
• 'Microsoft.DataboxEdge/DataBoxEdgeDevices/sku.name' (ref)

if (1)
• 'microsoft.databoxedge/databoxedgedevices'

Used 8x as a control:
• hipaa-0113.04a1Organizational.123-04.a (ref)
• NZISM_v3.7_14.1.14.C.01. (ref)
• CIS_Azure_1.3.0_4.2.2 (ref)
• PCI_DSS_v4.0.1_1.3.1 (ref)
• FedRAMP_High_R4_SC-18 (ref)
• CIS_Azure_1.1.0_1.9 (ref)
• SOC_2_P6.7 (ref)
• NIST_SP_800-53_R5.1.1_RA.5.8 (ref)

only applicable for Policy defintions of type: Static

JSON deep dive

{
    "displayName": "Azure Stack Edge devices should use double-encryption",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device.",
    "metadata": {
        "version": "1.1.0",
        "category": "Azure Stack Edge"
    },
    "parameters": {
        "effect": {
            "type": "String",
            "metadata": {
                "displayName": "Effect",
                "description": "The desired effect of the policy."
            },
            "allowedValues": [
                "audit",
                "Audit",
                "deny",
                "Deny",
                "disabled",
                "Disabled"
            ],
            "defaultValue": "Audit"
        }
    },
    "policyRule": {
        "if": {
            "allOf": [
                {
                    "field": "type",
                    "equals": "Microsoft.DataBoxEdge/DataBoxEdgeDevices"
                },
                {
                    "field": "Microsoft.DataboxEdge/DataBoxEdgeDevices/sku.name",
                    "notIn": [
                        "TEA_1Node",
                        "TEA_1Node_UPS",
                        "TEA_1Node_Heater",
                        "TEA_1Node_UPS_Heater",
                        "TEA_4Node_Heater",
                        "TEA_4Node_UPS_Heater",
                        "TMA",
                        "EdgePR_Base",
                        "EdgePR_Base_UPS",
                        "EdgeMR_Mini"
                    ]
                }
            ]
        },
        "then": {
            "effect": "[parameters('effect')]"
        }
    }
}

{"displayName":"Azure Stack Edge devices should use double-encryption","policyType":"BuiltIn","mode":"Indexed","description":"To secure the data at rest on the device,ensure it's double-encrypted,the access to data is controlled,and once the device is deactivated,the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device.","metadata":{"version":"1.1.0","category":"Azure Stack Edge"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"The desired effect of the policy."},"allowedValues":["audit","Audit","deny","Deny","disabled","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DataBoxEdge/DataBoxEdgeDevices"},{"field":"Microsoft.DataboxEdge/DataBoxEdgeDevices/sku.name","notIn":["TEA_1Node","TEA_1Node_UPS","TEA_1Node_Heater","TEA_1Node_UPS_Heater","TEA_4Node_Heater","TEA_4Node_UPS_Heater","TMA","EdgePR_Base","EdgePR_Base_UPS","EdgeMR_Mini"]}]},"then":{"effect":"[parameters('effect')]"}}}