question

HoangNguyen-8276 avatar image
HoangNguyen-8276 asked ·

Need help to build az policy to audit/deny that has data disks aren't encrypted in a virtual machine scale (vmss)

As I know vmss disks can be encrypted/de as show bellow
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/disk-encryption-cli
I want to create an to audit/deny that has data disks are not encrypted in a virtual machine scale
But i can't find any proper azure policy definition for this.
bellow is the template i used to deploy vmss

21001-vmss-arm.txt

After this deployment, i used az cli to verify and see that my vmss disks are NOT encrypted
Azure CLI:
az vmss encryption show --resource-group myResourceGroup --name myScaleSet
az vmss encryption disable --resource-group myResourceGroup --name myScaleSet

i have tried 2 policy:
The first is my custom policy that try to audit as bellow
"if": {
"not": {
"field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/storageProfile.osDisk.encryptionSettings.enabled",
"notEquals": "true"
}
},
"then": {
"effect": "audit"
} ""
The second is an build-in policy that has name 'Unattached disks should be encrypted' and ID:"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2", i also copy and attach it's definition bellow
20889-unattached-disks-should-be-encrypted.txt

However, both of the policy return result as all resources are Compliant


Is there any good way to solve my problem?


azure-virtual-machines-scale-setazure-policy
1 comment
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@HoangNguyen-8276 Thanks for comment. I am checking the issue and will provide an update soon.

1 Vote 1 · ·

1 Answer

SwathiDhanwada-MSFT avatar image
SwathiDhanwada-MSFT answered ·

@HoangNguyen-8276 Azure Policy evaluates the ARM property of the resource. So if the RP(Resource Provider) doesn't properly provide the ARM property, Policy can't evaluate it. The alias "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/storageProfile.osDisk.encryptionSettings.enabled" which you are using only checks if the OS Disks are encrypted or not.

And to check Data Disk encryption settings, currently, there is no available ARM property for it. For reference, check this ARM template document. To request an alias for Data Disk encryption settings , we need to enable the ARM property for it. I would recommend you to navigate here and share your feedback or suggestions directly with the responsible Azure feature team and clicking the vote button of your suggestion to raise visibility and priority on it.


2 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@HoangNguyen-8276 Just following to check if you had chance to view my previous comment.

0 Votes 0 · ·

@HoangNguyen-8276 Just following to check if you had chance to view my previous comment.

0 Votes 0 · ·