Using unencrypted cloud storages is security-sensitive

responsibility - trustworthy

security

Security Hotspot

MajorSonarSource default severity
click to learn more

Using unencrypted cloud storages can lead to data exposure. In the case that adversaries gain physical access to the storage medium they are able to access unencrypted information.

Ask Yourself Whether

The service contains sensitive information that could cause harm when leaked.
There are compliance requirements for the service to store data encrypted.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It’s recommended to encrypt cloud storages that contain sensitive information.

Sensitive Code Example

For Microsoft.AzureArcData/sqlServerInstances/databases:

Disabled encryption on SQL service instance database:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "databases/example",
      "type": "Microsoft.AzureArcData/sqlServerInstances/databases",
      "apiVersion": "2023-03-15-preview",
      "properties": {
        "databaseOptions": {
          "isEncrypted": false
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.AzureArcData/sqlServerInstances/databases@2023-03-15-preview' = {
  properties: {
    databaseOptions: {
      isEncrypted: false
    }
  }
}

For Microsoft.Compute/disks, encryption is disabled by default.

For Microsoft.Compute/snapshots:

Disabled disk encryption with settings collection:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/snapshots",
      "apiVersion": "2022-07-02",
      "properties": {
        "encryptionSettingsCollection": {
          "enabled": false
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.Compute/snapshots@2022-07-02' = {
  properties: {
    encryptionSettingsCollection: {
      enabled: false
    }
  }
}

For Microsoft.Compute/virtualMachines:

Disabled encryption at host level:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2022-11-01",
      "properties": {
        "securityProfile": {
          "encryptionAtHost": false
        }
      }
    }
  ]
}

resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
  properties: {
    securityProfile: {
      encryptionAtHost: false
    }
  }
}

Disabled encryption for managed disk:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2022-11-01",
      "properties": {
        "storageProfile": {
          "dataDisks": [
            {
              "id": "myDiskId"
            }
          ]
        }
      }
    }
  ]
}

resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
  properties: {
    storageProfile: {
      dataDisks: [
        {
          name: 'myDisk'
        }
      ]
    }
  }
}

Disabled encryption for OS disk:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2022-11-01",
      "properties": {
        "storageProfile": {
          "osDisk": {
            "encryptionSettings": {
              "enabled": false
            }
          }
        }
      }
    }
  ]
}

resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
  properties: {
    storageProfile: {
      osDisk: {
        name: 'myDisk'
        encryptionSettings: {
          enabled: false
        }
      }
    }
  }
}

Disabled encryption for OS managed disk:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2022-11-01",
      "properties": {
        "storageProfile": {
          "osDisk": {
            "managedDisk": {
              "id": "myDiskId"
            }
          }
        }
      }
    }
  ]
}

resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
  properties: {
    storageProfile: {
      osDisk: {
        name: 'myDisk'
        managedDisk: {
          id: 'myDiskId'
        }
      }
    }
  }
}

For Microsoft.Compute/virtualMachineScaleSets:

Disabled encryption at host level:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/virtualMachineScaleSets",
      "apiVersion": "2022-11-01",
      "properties": {
        "virtualMachineProfile": {
          "securityProfile": {
            "encryptionAtHost": false
          }
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = {
  properties: {
    virtualMachineProfile: {
      securityProfile: {
        encryptionAtHost: false
      }
    }
  }
}

Disabled encryption for data disk:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/virtualMachineScaleSets",
      "apiVersion": "2022-11-01",
      "properties": {
        "virtualMachineProfile": {
          "storageProfile": {
            "dataDisks": [
              {
                "name": "myDataDisk"
              }
            ]
          }
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = {
  properties: {
    virtualMachineProfile: {
      storageProfile: {
        dataDisks: [
          {
            name: 'myDataDisk'
          }
        ]
      }
    }
  }
}

Disabled encryption for OS disk:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/virtualMachineScaleSets",
      "apiVersion": "2022-11-01",
      "properties": {
        "virtualMachineProfile": {
          "storageProfile": {
            "osDisk": {
              "name": "myOsDisk"
            }
          }
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = {
  properties: {
    virtualMachineProfile: {
      storageProfile: {
        osDisk: {
          name: 'myOsDisk'
        }
      }
    }
  }
}

For Microsoft.ContainerService/managedClusters:

Disabled encryption at host and set the disk encryption set ID:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.ContainerService/managedClusters",
      "apiVersion": "2023-03-02-preview",
      "properties": {
        "agentPoolProfiles": [
          {
            "enableEncryptionAtHost": false
          }
        ]
      }
    }
  ]
}

resource symbolicname 'Microsoft.ContainerService/managedClusters@2023-03-02-preview' = {
  properties: {
    agentPoolProfiles: [
      {
        enableEncryptionAtHost: false
      }
    ]
  }
}

For Microsoft.DataLakeStore/accounts:

Disabled encryption for Data Lake Store:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.DataLakeStore/accounts",
      "apiVersion": "2016-11-01",
      "properties": {
        "encryptionState": "Disabled"
      }
    }
  ]
}

resource symbolicname 'Microsoft.DataLakeStore/accounts@2016-11-01' = {
  properties: {
    encryptionState: 'Disabled'
  }
}

For Microsoft.DBforMySQL/servers:

Disabled infrastructure double encryption for MySQL server:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.DBforMySQL/servers",
      "apiVersion": "2017-12-01",
      "properties": {
        "infrastructureEncryption": "Disabled"
      }
    }
  ]
}

resource symbolicname 'Microsoft.DBforMySQL/servers@2017-12-01' = {
  properties: {
    infrastructureEncryption: 'Disabled'
  }
}

For Microsoft.DBforPostgreSQL/servers:

Disabled infrastructure double encryption for PostgreSQL server:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.DBforPostgreSQL/servers",
      "apiVersion": "2017-12-01",
      "properties": {
        "infrastructureEncryption": "Disabled"
      }
    }
  ]
}

resource symbolicname 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
  properties: {
    infrastructureEncryption: 'Disabled'
  }
}

For Microsoft.DocumentDB/cassandraClusters/dataCenters:

Disabled encryption for a Cassandra Cluster datacenter’s managed disk and backup:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "cassandraClusters/example",
      "type": "Microsoft.DocumentDB/cassandraClusters/dataCenters",
      "apiVersion": "2023-04-15",
      "properties": {
        "diskCapacity": 4
      }
    }
  ]
}

resource symbolicname 'Microsoft.DocumentDB/cassandraClusters/dataCenters@2023-04-15' = {
  name: 'string'
  parent: parent
  properties: {
    diskCapacity: 4
  }
}

For Microsoft.HDInsight/clusters:

Disabled encryption for data disk:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.HDInsight/clusters",
      "apiVersion": "2021-06-01",
      "properties": {
        "computeProfile": {
          "roles": [
            {
              "encryptDataDisks": false
            }
          ]
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.HDInsight/clusters@2021-06-01' = {
  properties: {
    computeProfile: {
      roles: [
        {
          encryptDataDisks: false
        }
      ]
    }
  }
}

Disabled encryption for data disk at application level:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "clusters/example",
      "type": "Microsoft.HDInsight/clusters/applications",
      "apiVersion": "2021-06-01",
      "properties": {
        "computeProfile": {
          "roles": [
            {
              "encryptDataDisks": false
            }
          ]
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.HDInsight/clusters/applications@2021-06-01' = {
  properties: {
    computeProfile: {
      roles: [
        {
          encryptDataDisks: false
        }
      ]
    }
  }
}

Disabled encryption for resource disk:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.HDInsight/clusters",
      "apiVersion": "2021-06-01",
      "properties": {
        "diskEncryptionProperties": {
          "encryptionAtHost": false
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.HDInsight/clusters@2021-06-01' = {
  properties: {
    diskEncryptionProperties: {
      encryptionAtHost: false
    }
  }
}

For Microsoft.Kusto/clusters:

Disabled encryption for disk:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Kusto/clusters",
      "apiVersion": "2022-12-29",
      "properties": {
        "enableDiskEncryption": false
      }
    }
  ]
}

resource symbolicname 'Microsoft.Kusto/clusters@2022-12-29' = {
  properties: {
    enableDiskEncryption: false
  }
}

For Microsoft.RecoveryServices/vaults:

Disabled encryption for disk:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.RecoveryServices/vaults",
      "apiVersion": "2023-01-01",
      "properties": {
        "encryption": {
          "infrastructureEncryption": "Disabled"
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.RecoveryServices/vaults@2023-01-01' = {
  properties: {
    encryption: {
      infrastructureEncryption: 'Disabled'
    }
  }
}

Disabled encryption on infastructure for backup:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "vaults/example",
      "type": "Microsoft.RecoveryServices/vaults/backupEncryptionConfigs",
      "apiVersion": "2023-01-01",
      "properties": {
        "infrastructureEncryptionState": "Disabled"
      }
    }
  ]
}

resource symbolicname 'Microsoft.RecoveryServices/vaults/backupEncryptionConfigs@2023-01-01' = {
  properties: {
    encryptionAtRestType: '{CustomerManaged | MicrosoftManaged}'
    infrastructureEncryptionState: 'Disabled'
  }
}

For Microsoft.RedHatOpenShift/openShiftClusters:

Disabled disk encryption for master profile and worker profiles:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.RedHatOpenShift/openShiftClusters",
      "apiVersion": "2022-09-04",
      "properties": {
        "masterProfile": {
          "encryptionAtHost": "Disabled"
        },
        "workerProfiles": [
          {
            "encryptionAtHost": "Disabled"
          }
        ]
      }
    }
  ]
}

resource symbolicname 'Microsoft.RedHatOpenShift/openShiftClusters@2022-09-04' = {
  properties: {
    masterProfile: {
      encryptionAtHost: 'Disabled'
    }
    workerProfiles: [
      {
        encryptionAtHost: 'Disabled'
      }
    ]
  }
}

For Microsoft.SqlVirtualMachine/sqlVirtualMachines:

Disabled encryption for SQL Virtual Machine:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.SqlVirtualMachine/sqlVirtualMachines",
      "apiVersion": "2022-08-01-preview",
      "properties": {
        "autoBackupSettings": {
          "enableEncryption": false
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.SqlVirtualMachine/sqlVirtualMachines@2022-08-01-preview' = {
  properties: {
    autoBackupSettings: {
      enableEncryption: false
    }
  }
}

For Microsoft.Storage/storageAccounts:

Disabled enforcing of infrastructure encryption for double encryption of data:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2022-09-01",
      "properties": {
        "encryption": {
          "requireInfrastructureEncryption": false
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.Storage/storageAccounts@2022-09-01' = {
  properties: {
    encryption: {
      requireInfrastructureEncryption: false
    }
  }
}

For Microsoft.Storage/storageAccounts/encryptionScopes:

Disabled enforcing of infrastructure encryption for double encryption of data at encryption scope level:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "storageAccounts/example",
      "type": "Microsoft.Storage/storageAccounts/encryptionScopes",
      "apiVersion": "2022-09-01",
      "properties": {
        "requireInfrastructureEncryption": false
      }
    }
  ]
}

resource symbolicname 'Microsoft.Storage/storageAccounts/encryptionScopes@2022-09-01' = {
  properties: {
    requireInfrastructureEncryption: false
  }
}

Compliant Solution

For Microsoft.AzureArcData/sqlServerInstances/databases:

Enabled encryption on SQL service instance database:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "databases/example",
      "type": "Microsoft.AzureArcData/sqlServerInstances/databases",
      "apiVersion": "2023-03-15-preview",
      "properties": {
        "databaseOptions": {
          "isEncrypted": true
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.AzureArcData/sqlServerInstances/databases@2023-03-15-preview' = {
  properties: {
    databaseOptions: {
      isEncrypted: true
    }
  }
}

For Microsoft.Compute/disks:

Enabled encryption for managed disk:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/disks",
      "apiVersion": "2022-07-02",
      "properties": {
        "encryption": {
          "diskEncryptionSetId": "string",
          "type": "string"
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.Compute/disks@2022-07-02' = {
  properties: {
    encryption: {
      diskEncryptionSetId: 'string'
      type: 'string'
    }
  }
}

Enabled encryption through setting encryptionSettingsCollection:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Compute/disks",
      "apiVersion": "2022-07-02",
      "properties": {
        "encryptionSettingsCollection": {
          "enabled": true,
          "encryptionSettings": [
            {
              "diskEncryptionKey": {
                "secretUrl": "string",
                "sourceVault": {
                  "id": "string"
                }
              }
            }
          ]
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.Compute/disks@2022-07-02' = {
  properties: {
    encryptionSettingsCollection: {
      enabled: true
      encryptionSettings: [
        {
          diskEncryptionKey: {
            secretUrl: 'string'
            sourceVault: {
              id: 'string'
            }
          }
        }
      ]
    }
  }
}

Enabled encryption through a security profile for an OS disk:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Compute/disks",
      "apiVersion": "2022-07-02",
      "properties": {
        "securityProfile": {
          "secureVMDiskEncryptionSetId": "string",
          "securityType": "{'ConfidentialVM_DiskEncryptedWithCustomerKey' | 'ConfidentialVM_DiskEncryptedWithPlatformKey' | 'ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey' | 'TrustedLaunch'}"
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.Compute/disks@2022-07-02' = {
  properties: {
    securityProfile: {
      secureVMDiskEncryptionSetId: 'string'
      securityType: '{ConfidentialVM_DiskEncryptedWithCustomerKey | ConfidentialVM_DiskEncryptedWithPlatformKey | ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey | TrustedLaunch}'
    }
  }
}

For Microsoft.Compute/snapshots:

Enabled disk encryption for snapshot:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/snapshots",
      "apiVersion": "2022-07-02",
      "properties": {
        "encryption": {
          "diskEncryptionSetId": "string",
          "type": "{'EncryptionAtRestWithCustomerKey' | 'EncryptionAtRestWithPlatformAndCustomerKeys' | 'EncryptionAtRestWithPlatformKey'}"
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.Compute/snapshots@2022-07-02' = {
  properties: {
    encryption: {
      diskEncryptionSetId: 'string'
      type: '{EncryptionAtRestWithCustomerKey | EncryptionAtRestWithPlatformAndCustomerKeys | EncryptionAtRestWithPlatformKey}'
    }
  }
}

Enabled disk encryption with settings collection:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/snapshots",
      "apiVersion": "2022-07-02",
      "properties": {
        "encryptionSettingsCollection": {
          "enabled": true,
          "encryptionSettings": [
            {
              "diskEncryptionKey": {
                "secretUrl": "",
                "sourceVault": {
                  "id": "string"
                }
              }
            }
          ],
          "encryptionSettingsVersion": "{'1.0' | '1.1'}"
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.Compute/snapshots@2022-07-02' = {
  properties: {
    encryptionSettingsCollection: {
      enabled: true
      encryptionSettings: [
        {
          diskEncryptionKey: {
            secretUrl: ''
            sourceVault: {
              id: 'string'
            }
          }
        }
      ]
      encryptionSettingsVersion: '{1.0 | 1.1}'
    }
  }
}

Enabled disk encryption through security profile:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/snapshots",
      "apiVersion": "2022-07-02",
      "properties": {
        "securityProfile": {
          "secureVMDiskEncryptionSetId": "string",
          "securityType": "{'ConfidentialVM_DiskEncryptedWithCustomerKey' | 'ConfidentialVM_DiskEncryptedWithPlatformKey' | 'ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey' |'TrustedLaunch'}"
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.Compute/snapshots@2022-07-02' = {
  properties: {
    securityProfile: {
      secureVMDiskEncryptionSetId: 'string'
      securityType: '{ConfidentialVM_DiskEncryptedWithCustomerKey | ConfidentialVM_DiskEncryptedWithPlatformKey | ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey | TrustedLaunch}'
    }
  }
}

For Microsoft.Compute/virtualMachines:

Enabled encryption at host level:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2022-11-01",
      "properties": {
        "securityProfile": {
          "encryptionAtHost": true
        }
      }
    }
  ]
}

resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
  properties: {
    securityProfile: {
      encryptionAtHost: true
    }
  }
}

Enabled encryption for managed disk:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2022-11-01",
      "properties": {
        "storageProfile": {
          "dataDisks": [
            {
              "id": "myDiskId",
              "managedDisk": {
                "diskEncryptionSet": {
                  "id": "string"
                }
              }
            }
          ]
        }
      }
    }
  ]
}

resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
  properties: {
    storageProfile: {
      dataDisks: [
        {
          name: 'myDisk'
          managedDisk: {
            diskEncryptionSet: {
              id: 'string'
            }
          }
        }
      ]
    }
  }
}

Enabled encryption for managed disk through security profile:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2022-11-01",
      "properties": {
        "storageProfile": {
          "dataDisks": [
            {
              "id": "myDiskId",
              "managedDisk": {
                "securityProfile": {
                  "diskEncryptionSet": {
                    "id": "string"
                  }
                }
              }
            }
          ]
        }
      }
    }
  ]
}

resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
  properties: {
    storageProfile: {
      dataDisks: [
        {
          name: 'myDisk'
          managedDisk: {
            securityProfile: {
              diskEncryptionSet: {
                id: 'string'
              }
            }
          }
        }
      ]
    }
  }
}

Enabled encryption for OS disk:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2022-11-01",
      "properties": {
        "storageProfile": {
          "osDisk": {
            "encryptionSettings": {
              "enabled": true,
              "diskEncryptionKey": {
                "secretUrl": "string",
                "sourceVault": {
                  "id": "string"
                }
              }
            }
          }
        }
      }
    }
  ]
}

resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
  properties: {
    storageProfile: {
      osDisk: {
        name: 'myDisk'
        encryptionSettings: {
          enabled: true
          diskEncryptionKey: {
            secretUrl: 'string'
            sourceVault: {
              id: 'string'
            }
          }
        }
      }
    }
  }
}

Enabled encryption for OS managed disk:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2022-11-01",
      "properties": {
        "storageProfile": {
          "osDisk": {
            "managedDisk": {
              "id": "myDiskId",
              "diskEncryptionSet": {
                "id": "string"
              }
            }
          }
        }
      }
    }
  ]
}

resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
  properties: {
    storageProfile: {
      osDisk: {
        name: 'myDisk'
        managedDisk: {
          id: 'myDiskId'
          diskEncryptionSet: {
            id: 'string'
          }
        }
      }
    }
  }
}

Enabled encryption for OS managed disk through security profile:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2022-11-01",
      "properties": {
        "storageProfile": {
          "osDisk": {
            "managedDisk": {
              "securityProfile": {
                "diskEncryptionSet": {
                  "id": "string"
                }
              }
            }
          }
        }
      }
    }
  ]
}

resource myName 'Microsoft.Compute/virtualMachines@2022-11-01' = {
  properties: {
    storageProfile: {
      osDisk: {
        name: 'myDisk'
        managedDisk: {
          id: 'myDiskId'
          securityProfile: {
            diskEncryptionSet: {
              id: 'string'
            }
          }
        }
      }
    }
  }
}

For Microsoft.Compute/virtualMachineScaleSets:

Enabled encryption at host level:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/virtualMachineScaleSets",
      "apiVersion": "2022-11-01",
      "properties": {
        "virtualMachineProfile": {
          "securityProfile": {
            "encryptionAtHost": true
          }
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = {
  properties: {
    virtualMachineProfile: {
      securityProfile: {
        encryptionAtHost: true
      }
    }
  }
}

Enabled encryption for data disk:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/virtualMachineScaleSets",
      "apiVersion": "2022-11-01",
      "properties": {
        "virtualMachineProfile": {
          "storageProfile": {
            "dataDisks": [
              {
                "name": "myDataDisk",
                "managedDisk": {
                  "diskEncryptionSet": {
                    "id": "string"
                  }
                }
              }
            ]
          }
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = {
  properties: {
    virtualMachineProfile: {
      storageProfile: {
        dataDisks: [
          {
            name: 'myDataDisk'
            managedDisk: {
              diskEncryptionSet: {
                id: 'string'
              }
            }
          }
        ]
      }
    }
  }
}

Enabled encryption for data disk through security profile:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/virtualMachineScaleSets",
      "apiVersion": "2022-11-01",
      "properties": {
        "virtualMachineProfile": {
          "storageProfile": {
            "dataDisks": [
              {
                "name": "myDataDisk",
                "managedDisk": {
                  "securityProfile": {
                    "diskEncryptionSet": {
                      "id": "string"
                    }
                  }
                }
              }
            ]
          }
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = {
  properties: {
    virtualMachineProfile: {
      storageProfile: {
        dataDisks: [
          {
            name: 'myDataDisk'
            managedDisk: {
              securityProfile: {
                diskEncryptionSet: {
                  id: 'string'
                }
              }
            }
          }
        ]
      }
    }
  }
}

Enabled encryption for OS disk:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/virtualMachineScaleSets",
      "apiVersion": "2022-11-01",
      "properties": {
        "virtualMachineProfile": {
          "storageProfile": {
            "osDisk": {
              "name": "myOsDisk",
              "managedDisk": {
                "diskEncryptionSet": {
                  "id": "string"
                }
              }
            }
          }
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = {
  properties: {
    virtualMachineProfile: {
      storageProfile: {
        osDisk: {
          name: 'myOsDisk'
          managedDisk: {
            diskEncryptionSet: {
              id: 'string'
            }
          }
        }
      }
    }
  }
}

Enabled encryption for OS disk through security profile:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Compute/virtualMachineScaleSets",
      "apiVersion": "2022-11-01",
      "properties": {
        "virtualMachineProfile": {
          "storageProfile": {
            "osDisk": {
              "name": "myOsDisk",
              "managedDisk": {
                "securityProfile": {
                  "diskEncryptionSet": {
                    "id": "string"
                  }
                }
              }
            }
          }
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.Compute/virtualMachineScaleSets@2022-11-01' = {
  properties: {
    virtualMachineProfile: {
      storageProfile: {
        osDisk: {
          name: 'myOsDisk'
          managedDisk: {
            securityProfile: {
              diskEncryptionSet: {
                id: 'string'
              }
            }
          }
        }
      }
    }
  }
}

For Microsoft.ContainerService/managedClusters:

Enabled encryption at host and set the disk encryption set ID:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.ContainerService/managedClusters",
      "apiVersion": "2023-03-02-preview",
      "properties": {
        "agentPoolProfiles": [
          {
            "enableEncryptionAtHost": true
          }
        ],
        "diskEncryptionSetID": "string"
      }
    }
  ]
}

resource symbolicname 'Microsoft.ContainerService/managedClusters@2023-03-02-preview' = {
  properties: {
    agentPoolProfiles: [
      {
        enableEncryptionAtHost: true
      }
    ]
    diskEncryptionSetID: 'string'
  }
}

For Microsoft.DataLakeStore/accounts:

Enabled encryption for Data Lake Store:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.DataLakeStore/accounts",
      "apiVersion": "2016-11-01",
      "properties": {
        "encryptionState": "Enabled"
      }
    }
  ]
}

resource symbolicname 'Microsoft.DataLakeStore/accounts@2016-11-01' = {
  properties: {
    encryptionState: 'Enabled'
  }
}

For Microsoft.DBforMySQL/servers:

Enabled infrastructure double encryption for MySQL server:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.DBforMySQL/servers",
      "apiVersion": "2017-12-01",
      "properties": {
        "infrastructureEncryption": "Enabled"
      }
    }
  ]
}

resource symbolicname 'Microsoft.DBforMySQL/servers@2017-12-01' = {
  properties: {
    infrastructureEncryption: 'Enabled'
  }
}

For Microsoft.DBforPostgreSQL/servers:

Enabled infrastructure double encryption for PostgreSQL server:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.DBforPostgreSQL/servers",
      "apiVersion": "2017-12-01",
      "properties": {
        "infrastructureEncryption": "Enabled"
      }
    }
  ]
}

resource symbolicname 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
  properties: {
    infrastructureEncryption: 'Enabled'
  }
}

For Microsoft.DocumentDB/cassandraClusters/dataCenters:

Enabled encryption for a Cassandra Cluster datacenter’s managed disk and backup:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "cassandraClusters/example",
      "type": "Microsoft.DocumentDB/cassandraClusters/dataCenters",
      "apiVersion": "2023-04-15",
      "properties": {
        "diskCapacity": 4,
        "backupStorageCustomerKeyUri": "string",
        "managedDiskCustomerKeyUri": "string"
      }
    }
  ]
}

resource symbolicname 'Microsoft.DocumentDB/cassandraClusters/dataCenters@2023-04-15' = {
  name: 'string'
  parent: parent
  properties: {
    diskCapacity: 4
    backupStorageCustomerKeyUri: 'string'
    managedDiskCustomerKeyUri: 'string'
  }
}

For Microsoft.HDInsight/clusters:

Enabled encryption for data disk:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.HDInsight/clusters",
      "apiVersion": "2021-06-01",
      "properties": {
        "computeProfile": {
          "roles": [
            {
              "encryptDataDisks": true
            }
          ]
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.HDInsight/clusters@2021-06-01' = {
  properties: {
    computeProfile: {
      roles: [
        {
          encryptDataDisks: true
        }
      ]
    }
  }
}

Enabled encryption for data disk at application level:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "clusters/example",
      "type": "Microsoft.HDInsight/clusters/applications",
      "apiVersion": "2021-06-01",
      "properties": {
        "computeProfile": {
          "roles": [
            {
              "encryptDataDisks": true
            }
          ]
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.HDInsight/clusters/applications@2021-06-01' = {
  properties: {
    computeProfile: {
      roles: [
        {
          encryptDataDisks: true
        }
      ]
    }
  }
}

Enabled encryption for resource disk:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.HDInsight/clusters",
      "apiVersion": "2021-06-01",
      "properties": {
        "diskEncryptionProperties": {
          "encryptionAtHost": true
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.HDInsight/clusters@2021-06-01' = {
  properties: {
    diskEncryptionProperties: {
      encryptionAtHost: true
    }
  }
}

For Microsoft.Kusto/clusters:

Enabled encryption for disk:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Kusto/clusters",
      "apiVersion": "2022-12-29",
      "properties": {
        "enableDiskEncryption": true
      }
    }
  ]
}

resource symbolicname 'Microsoft.Kusto/clusters@2022-12-29' = {
  properties: {
    enableDiskEncryption: true
  }
}

For Microsoft.RecoveryServices/vaults:

Enabled encryption on infrastructure:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.RecoveryServices/vaults",
      "apiVersion": "2023-01-01",
      "properties": {
        "encryption": {
          "infrastructureEncryption": "Enabled"
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.RecoveryServices/vaults@2023-01-01' = {
  properties: {
    encryption: {
      infrastructureEncryption: 'Enabled'
    }
  }
}

Enabled encryption on infastructure for backup:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "vaults/example",
      "type": "Microsoft.RecoveryServices/vaults/backupEncryptionConfigs",
      "apiVersion": "2023-01-01",
      "properties": {
        "encryptionAtRestType": "{'CustomerManaged' | 'MicrosoftManaged'}",
        "infrastructureEncryptionState": "Enabled"
      }
    }
  ]
}

resource symbolicname 'Microsoft.RecoveryServices/vaults/backupEncryptionConfigs@2023-01-01' = {
  properties: {
    encryptionAtRestType: '{CustomerManaged | MicrosoftManaged}'
    infrastructureEncryptionState: 'Enabled'
  }
}

For Microsoft.RedHatOpenShift/openShiftClusters:

Enabled disk encryption for master profile and worker profiles:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.RedHatOpenShift/openShiftClusters",
      "apiVersion": "2022-09-04",
      "properties": {
        "masterProfile": {
          "diskEncryptionSetId": "string",
          "encryptionAtHost": "Enabled"
        },
        "workerProfiles": [
          {
            "diskEncryptionSetId": "string",
            "encryptionAtHost": "Enabled"
          }
        ]
      }
    }
  ]
}

resource symbolicname 'Microsoft.RedHatOpenShift/openShiftClusters@2022-09-04' = {
  properties: {
    masterProfile: {
      diskEncryptionSetId: 'string'
      encryptionAtHost: 'Enabled'
    }
    workerProfiles: [
      {
        diskEncryptionSetId: 'string'
        encryptionAtHost: 'Enabled'
      }
    ]
  }
}

For Microsoft.SqlVirtualMachine/sqlVirtualMachines:

Enabled encryption for SQL Virtual Machine:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.SqlVirtualMachine/sqlVirtualMachines",
      "apiVersion": "2022-08-01-preview",
      "properties": {
        "autoBackupSettings": {
          "enableEncryption": true,
          "password": "string"
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.SqlVirtualMachine/sqlVirtualMachines@2022-08-01-preview' = {
  properties: {
    autoBackupSettings: {
      enableEncryption: true
      password: 'string'
    }
  }
}

For Microsoft.Storage/storageAccounts:

Enabled enforcing of infrastructure encryption for double encryption of data:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "example",
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2022-09-01",
      "properties": {
        "encryption": {
          "requireInfrastructureEncryption": true
        }
      }
    }
  ]
}

resource symbolicname 'Microsoft.Storage/storageAccounts@2022-09-01' = {
  properties: {
    encryption: {
      requireInfrastructureEncryption: true
    }
  }
}

For Microsoft.Storage/storageAccounts/encryptionScopes:

Enabled enforcing of infrastructure encryption for double encryption of data at encryption scope level:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "storageAccounts/example",
      "type": "Microsoft.Storage/storageAccounts/encryptionScopes",
      "apiVersion": "2022-09-01",
      "properties": {
        "requireInfrastructureEncryption": true
      }
    }
  ]
}

resource symbolicname 'Microsoft.Storage/storageAccounts/encryptionScopes@2022-09-01' = {
  properties: {
    requireInfrastructureEncryption: true
  }
}

See

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted