Using unencrypted cloud storages can lead to data exposure. In the case that adversaries gain physical access to the storage medium they are able
to access unencrypted information.
Ask Yourself Whether
- The service contains sensitive information that could cause harm when leaked.
- There are compliance requirements for the service to store data encrypted.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It’s recommended to encrypt cloud storages that contain sensitive information.
Sensitive Code Example
For Microsoft.AzureArcData/sqlServerInstances/databases:
Disabled encryption on SQL service instance database:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.AzureArcData/sqlServerInstances/databases",
"apiVersion": "2023-03-15-preview",
"properties": {
"databaseOptions": {
"isEncrypted": false
}
}
}
]
}
For Microsoft.Compute/snapshots:
Disabled disk encryption with settings collection:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/snapshots",
"apiVersion": "2022-07-02",
"properties": {
"encryptionSettingsCollection": {
"enabled": false
}
}
}
]
}
For Microsoft.Compute/virtualMachines:
Disabled encryption at host level:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"securityProfile": {
"encryptionAtHost": false
}
}
}
]
}
Disabled encryption for managed disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"storageProfile": {
"dataDisks": [
{
"id": "myDiskId",
}
]
}
}
}
]
}
Disabled encryption for OS disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"storageProfile": {
"osDisk": {
"encryptionSettings": {
"enabled": false
}
}
}
}
}
]
}
Disabled encryption for OS managed disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"storageProfile": {
"osDisk": {
"managedDisk": {
"id": "myDiskId",
}
}
}
}
}
]
}
For Microsoft.Compute/virtualMachineScaleSets:
Disabled encryption at host level:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"virtualMachineProfile": {
"securityProfile": {
"encryptionAtHost": false
}
}
}
}
]
}
Disabled encryption for data disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2022-11-01",
"properties": {
"virtualMachineProfile": {
"storageProfile": {
"dataDisks": [
{
"name": "myDataDisk"
}
]
}
}
}
}
]
}
Disabled encryption for OS disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2022-11-01",
"properties": {
"virtualMachineProfile": {
"storageProfile": {
"osDisk": {
"name": "myOsDisk"
}
}
}
}
}
]
}
For Microsoft.ContainerService/managedClusters:
Disabled encryption at host and set the disk encryption set ID:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2023-03-02-preview",
"properties": {
"agentPoolProfiles": [
{
"enableEncryptionAtHost": false
}
]
}
}
]
}
For Microsoft.DataLakeStore/accounts:
Disabled encryption for Data Lake Store:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DataLakeStore/accounts",
"apiVersion": "2016-11-01",
"properties": {
"encryptionState": "Disabled"
}
}
]
}
For Microsoft.DBforMySQL/servers:
Disabled infrastructure double encryption for MySQL server:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DBforMySQL/servers",
"apiVersion": "2017-12-01",
"properties": {
"infrastructureEncryption": "Disabled"
}
}
]
}
For Microsoft.DBforPostgreSQL/servers:
Disabled infrastructure double encryption for PostgreSQL server:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DBforPostgreSQL/servers",
"apiVersion": "2017-12-01",
"properties": {
"infrastructureEncryption": "Disabled"
}
}
]
}
For Microsoft.DocumentDB/cassandraClusters/dataCenters:
Disabled encryption for a Cassandra Cluster datacenter’s managed disk and backup:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DocumentDB/cassandraClusters/dataCenters",
"apiVersion": "2023-04-15",
"properties": {
"diskCapacity": 4
}
}
]
}
For Microsoft.HDInsight/clusters:
Disabled encryption for data disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.HDInsight/clusters",
"apiVersion": "2021-06-01",
"properties": {
"computeProfile": {
"roles": [
{
"encryptDataDisks": false
}
]
}
}
}
]
}
Disabled encryption for data disk at application level:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.HDInsight/clusters/applications",
"apiVersion": "2021-06-01",
"properties": {
"computeProfile": {
"roles": [
{
"encryptDataDisks": false
}
]
}
}
}
]
}
Disabled encryption for resource disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.HDInsight/clusters",
"apiVersion": "2021-06-01",
"properties": {
"diskEncryptionProperties": {
"encryptionAtHost": false
}
}
}
]
}
For Microsoft.Kusto/clusters:
Disabled encryption for disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Kusto/clusters",
"apiVersion": "2022-12-29",
"properties": {
"enableDiskEncryption": false
}
}
]
}
For Microsoft.RecoveryServices/vaults:
Disabled encryption for disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.RecoveryServices/vaults",
"apiVersion": "2023-01-01",
"properties": {
"encryption": {
"infrastructureEncryption": "Disabled"
}
}
}
]
}
Disabled encryption on infastructure for backup:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.RecoveryServices/vaults/backupEncryptionConfigs",
"apiVersion": "2023-01-01",
"properties": {
"infrastructureEncryptionState": "Disabled"
}
}
]
}
For Microsoft.RedHatOpenShift/openShiftClusters:
Disabled disk encryption for master profile and worker profiles:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.RedHatOpenShift/openShiftClusters",
"apiVersion": "2022-09-04",
"properties": {
"masterProfile": {
"encryptionAtHost": "Disabled"
},
"workerProfiles": [
{
"encryptionAtHost": "Disabled"
}
]
}
}
]
}
For Microsoft.SqlVirtualMachine/sqlVirtualMachines:
Disabled encryption for SQL Virtual Machine:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.SqlVirtualMachine/sqlVirtualMachines",
"apiVersion": "2022-08-01-preview",
"properties": {
"autoBackupSettings": {
"enableEncryption": false
}
}
}
]
}
For Microsoft.Storage/storageAccounts:
Disabled enforcing of infrastructure encryption for double encryption of data:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"properties": {
"encryption": {
"requireInfrastructureEncryption": false
}
}
}
]
}
For Microsoft.Storage/storageAccounts/encryptionScopes:
Disabled enforcing of infrastructure encryption for double encryption of data at encryption scope level:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/encryptionScopes",
"apiVersion": "2022-09-01",
"properties": {
"requireInfrastructureEncryption": false
}
}
]
}
Compliant Solution
For Microsoft.AzureArcData/sqlServerInstances/databases:
Enabled encryption on SQL service instance database:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.AzureArcData/sqlServerInstances/databases",
"apiVersion": "2023-03-15-preview",
"properties": {
"databaseOptions": {
"isEncrypted": true
}
}
}
]
}
For Microsoft.Compute/disks:
Enabled encryption for managed disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/disks",
"apiVersion": "2022-07-02",
"properties": {
"encryption": {
"diskEncryptionSetId": "string",
"type": "string"
}
}
}
]
}
Enabled encryption through setting encryptionSettingsCollection:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/disks",
"apiVersion": "2022-07-02",
"properties": {
"encryptionSettingsCollection": {
"enabled": true,
"encryptionSettings": [
{
"diskEncryptionKey": {
"secretUrl": "string",
"sourceVault": {
"id": "string"
}
}
}
]
}
}
}
]
}
Enabled encryption through a security profile for an OS disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/disks",
"apiVersion": "2022-07-02",
"properties": {
"securityProfile": {
"secureVMDiskEncryptionSetId": "string",
"securityType": "{'ConfidentialVM_DiskEncryptedWithCustomerKey' | 'ConfidentialVM_DiskEncryptedWithPlatformKey' | 'ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey' | 'TrustedLaunch'}"
}
}
}
]
}
For Microsoft.Compute/snapshots:
Enabled disk encryption for snapshot:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/snapshots",
"apiVersion": "2022-07-02",
"properties": {
"encryption": {
"diskEncryptionSetId": "string",
"type": "{'EncryptionAtRestWithCustomerKey' | 'EncryptionAtRestWithPlatformAndCustomerKeys' | 'EncryptionAtRestWithPlatformKey'}"
}
}
}
]
}
Enabled disk encryption with settings collection:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/snapshots",
"apiVersion": "2022-07-02",
"properties": {
"encryptionSettingsCollection": {
"enabled": true,
"encryptionSettings": [
{
"diskEncryptionKey": {
"secretUrl": "",
"sourceVault": {
"id": "string"
}
}
}
],
"encryptionSettingsVersion": "{'1.0' | '1.1'}"
}
}
}
]
}
Enabled disk encryption through security profile:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/snapshots",
"apiVersion": "2022-07-02",
"properties": {
"securityProfile": {
"secureVMDiskEncryptionSetId": "string",
"securityType": "{'ConfidentialVM_DiskEncryptedWithCustomerKey' | 'ConfidentialVM_DiskEncryptedWithPlatformKey' | 'ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey' |'TrustedLaunch'}"
}
}
}
]
}
For Microsoft.Compute/virtualMachines:
Enabled encryption at host level:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"securityProfile": {
"encryptionAtHost": true
}
}
}
]
}
Enabled encryption for managed disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"storageProfile": {
"dataDisks": [
{
"id": "myDiskId",
"managedDisk": {
"diskEncryptionSet": {
"id": "string"
}
}
}
]
}
}
}
]
}
Enabled encryption for managed disk through security profile:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"storageProfile": {
"dataDisks": [
{
"id": "myDiskId",
"managedDisk": {
"securityProfile": {
"diskEncryptionSet": {
"id": "string"
}
}
}
}
]
}
}
}
]
}
Enabled encryption for OS disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"storageProfile": {
"osDisk": {
"encryptionSettings": {
"enabled": true,
"diskEncryptionKey": {
"secretUrl": "string",
"sourceVault": {
"id": "string"
}
}
}
}
}
}
}
]
}
Enabled encryption for OS managed disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"storageProfile": {
"osDisk": {
"managedDisk": {
"id": "myDiskId",
"diskEncryptionSet": {
"id": "string"
}
}
}
}
}
}
]
}
Enabled encryption for OS managed disk through security profile:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"storageProfile": {
"osDisk": {
"managedDisk": {
"securityProfile": {
"diskEncryptionSet": {
"id": "string"
}
}
}
}
}
}
}
]
}
For Microsoft.Compute/virtualMachineScaleSets:
Enabled encryption at host level:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"properties": {
"virtualMachineProfile": {
"securityProfile": {
"encryptionAtHost": true
}
}
}
}
]
}
Enabled encryption for data disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2022-11-01",
"properties": {
"virtualMachineProfile": {
"storageProfile": {
"dataDisks": [
{
"name": "myDataDisk",
"managedDisk": {
"diskEncryptionSet": {
"id": "string"
}
}
}
]
}
}
}
}
]
}
Enabled encryption for data disk through security profile:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2022-11-01",
"properties": {
"virtualMachineProfile": {
"storageProfile": {
"dataDisks": [
{
"name": "myDataDisk",
"managedDisk": {
"securityProfile": {
"diskEncryptionSet": {
"id": "string"
}
}
}
}
]
}
}
}
}
]
}
Enabled encryption for OS disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2022-11-01",
"properties": {
"virtualMachineProfile": {
"storageProfile": {
"osDisk": {
"name": "myOsDisk",
"managedDisk": {
"diskEncryptionSet": {
"id": "string"
}
}
}
}
}
}
}
]
}
Enabled encryption for OS disk through security profile:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2022-11-01",
"properties": {
"virtualMachineProfile": {
"storageProfile": {
"osDisk": {
"name": "myOsDisk",
"managedDisk": {
"securityProfile": {
"diskEncryptionSet": {
"id": "string"
}
}
}
}
}
}
}
}
]
}
For Microsoft.ContainerService/managedClusters:
Enabled encryption at host and set the disk encryption set ID:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2023-03-02-preview",
"properties": {
"agentPoolProfiles": [
{
"enableEncryptionAtHost": true
}
]
"diskEncryptionSetID": "string"
}
}
]
}
For Microsoft.DataLakeStore/accounts:
Enabled encryption for Data Lake Store:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DataLakeStore/accounts",
"apiVersion": "2016-11-01",
"properties": {
"encryptionState": "Enabled"
}
}
]
}
For Microsoft.DBforMySQL/servers:
Enabled infrastructure double encryption for MySQL server:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DBforMySQL/servers",
"apiVersion": "2017-12-01",
"properties": {
"infrastructureEncryption": "Enabled"
}
}
]
}
For Microsoft.DBforPostgreSQL/servers:
Enabled infrastructure double encryption for PostgreSQL server:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DBforPostgreSQL/servers",
"apiVersion": "2017-12-01",
"properties": {
"infrastructureEncryption": "Enabled"
}
}
]
}
For Microsoft.DocumentDB/cassandraClusters/dataCenters:
Enabled encryption for a Cassandra Cluster datacenter’s managed disk and backup:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DocumentDB/cassandraClusters/dataCenters",
"apiVersion": "2023-04-15",
"properties": {
"diskCapacity": 4,
"backupStorageCustomerKeyUri": "string",
"managedDiskCustomerKeyUri": "string"
}
}
]
}
For Microsoft.HDInsight/clusters:
Enabled encryption for data disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.HDInsight/clusters",
"apiVersion": "2021-06-01",
"properties": {
"computeProfile": {
"roles": [
{
"encryptDataDisks": true
}
]
}
}
}
]
}
Enabled encryption for data disk at application level:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.HDInsight/clusters/applications",
"apiVersion": "2021-06-01",
"properties": {
"computeProfile": {
"roles": [
{
"encryptDataDisks": true
}
]
}
}
}
]
}
Enabled encryption for resource disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.HDInsight/clusters",
"apiVersion": "2021-06-01",
"properties": {
"diskEncryptionProperties": {
"encryptionAtHost": true
}
}
}
]
}
For Microsoft.Kusto/clusters:
Enabled encryption for disk:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Kusto/clusters",
"apiVersion": "2022-12-29",
"properties": {
"enableDiskEncryption": true
}
}
]
}
For Microsoft.RecoveryServices/vaults:
Enabled encryption on infrastructure:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.RecoveryServices/vaults",
"apiVersion": "2023-01-01",
"properties": {
"encryption": {
"infrastructureEncryption": "Enabled"
}
}
}
]
}
Enabled encryption on infastructure for backup:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.RecoveryServices/vaults/backupEncryptionConfigs",
"apiVersion": "2023-01-01",
"properties": {
"encryptionAtRestType": "{'CustomerManaged' | 'MicrosoftManaged'}",
"infrastructureEncryptionState": "Enabled"
}
}
]
}
For Microsoft.RedHatOpenShift/openShiftClusters:
Enabled disk encryption for master profile and worker profiles:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.RedHatOpenShift/openShiftClusters",
"apiVersion": "2022-09-04",
"properties": {
"masterProfile": {
"diskEncryptionSetId": "string",
"encryptionAtHost": "Enabled"
},
"workerProfiles": [
{
"diskEncryptionSetId": "string",
"encryptionAtHost": "Enabled"
}
]
}
}
]
}
For Microsoft.SqlVirtualMachine/sqlVirtualMachines:
Enabled encryption for SQL Virtual Machine:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.SqlVirtualMachine/sqlVirtualMachines",
"apiVersion": "2022-08-01-preview",
"properties": {
"autoBackupSettings": {
"enableEncryption": true,
"password": "string"
}
}
}
]
}
For Microsoft.Storage/storageAccounts:
Enabled enforcing of infrastructure encryption for double encryption of data:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"properties": {
"encryption": {
"requireInfrastructureEncryption": true
}
}
}
]
}
For Microsoft.Storage/storageAccounts/encryptionScopes:
Enabled enforcing of infrastructure encryption for double encryption of data at encryption scope level:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/encryptionScopes",
"apiVersion": "2022-09-01",
"properties": {
"requireInfrastructureEncryption": true
}
}
]
}
See
