Need help to build az policy to audit/deny that has data disks aren't encrypted in a virtual machine scale (vmss)

Hoang Nguyen 1 Reputation point
2020-08-27T17:44:15.987+00:00

As I know vmss disks can be encrypted/de as show bellow
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/disk-encryption-cli
I want to create an to audit/deny that has data disks are not encrypted in a virtual machine scale
But i can't find any proper azure policy definition for this.
bellow is the template i used to deploy vmss

21001-vmss-arm.txt

After this deployment, i used az cli to verify and see that my vmss disks are NOT encrypted
Azure CLI:
az vmss encryption show --resource-group myResourceGroup --name myScaleSet
az vmss encryption disable --resource-group myResourceGroup --name myScaleSet

i have tried 2 policy:
_ The first is my custom policy that try to audit as bellow
"if": {
"not": {
"field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/storageProfile.osDisk.encryptionSettings.enabled",
"notEquals": "true"
}
},
"then": {
"effect": "audit"
} ""
_ The second is an build-in policy that has name 'Unattached disks should be encrypted' and ID:"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2", i also copy and attach it's definition bellow
20889-unattached-disks-should-be-encrypted.txt

However, both of the policy return result as all resources are Compliant

Is there any good way to solve my problem?

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
799 questions
Azure Virtual Machine Scale Sets
Azure Virtual Machine Scale Sets
Azure compute resources that are used to create and manage groups of heterogeneous load-balanced virtual machines.
352 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SwathiDhanwada-MSFT 17,726 Reputation points
    2020-09-04T15:21:07.97+00:00

    @Hoang Nguyen Azure Policy evaluates the ARM property of the resource. So if the RP(Resource Provider) doesn't properly provide the ARM property, Policy can't evaluate it. The alias "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/storageProfile.osDisk.encryptionSettings.enabled" which you are using only checks if the OS Disks are encrypted or not.

    And to check Data Disk encryption settings, currently, there is no available ARM property for it. For reference, check this ARM template document. To request an alias for Data Disk encryption settings , we need to enable the ARM property for it. I would recommend you to navigate here and share your feedback or suggestions directly with the responsible Azure feature team and clicking the vote button of your suggestion to raise visibility and priority on it.

    1 person found this answer helpful.