Skip to content

Governance Policies Azure Compute Disk Encryption Set

Jump to bottom
Joshua Davis edited this page Apr 5, 2026 · 2 revisions

Disk Encryption Set

Governance policies for Disk Encryption Set

Domain: azure-compute

Patterns

Name Description
Disk Encryption Set with CMK and auto-rotation Customer-managed key encryption with automatic key rotation

Anti-Patterns

Description Instead
Do not rely solely on platform-managed encryption when compliance requires CMK Deploy a Disk Encryption Set with customer-managed keys from Key Vault
Do not store encryption keys in the same Key Vault as application secrets Use a dedicated Key Vault for disk encryption keys with restricted access

References

Checks (4)

Check Severity Description
AZ-DES-001 Required Create Disk Encryption Set with customer-managed key from Key Vault
AZ-DES-002 Required Grant the Disk Encryption Set identity access to the Key Vault
AZ-DES-003 Required Enable automatic key rotation to latest key version
AZ-DES-004 Recommended Use EncryptionAtRestWithPlatformAndCustomerKeys for double encryption

AZ-DES-001

Create Disk Encryption Set with customer-managed key from Key Vault

Severity: Required
Rationale: Customer-managed keys (CMK) provide control over encryption keys and meet compliance requirements
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.Compute/diskEncryptionSets

Companion Resources

Resource Name Purpose
Microsoft.KeyVault/vaults kv-cmk Key Vault with purge protection enabled for storing CMK encryption keys
Microsoft.KeyVault/vaults/keys des-cmk-key RSA 2048-bit or higher encryption key for Disk Encryption Set
Microsoft.Authorization/roleAssignments Key Vault Crypto Service Encryption User Grants DES identity permission to use Key Vault encryption keys

AZ-DES-002

Grant the Disk Encryption Set identity access to the Key Vault

Severity: Required
Rationale: Without Key Vault access, the DES cannot retrieve the encryption key and disk operations will fail
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.Compute/diskEncryptionSets

Companion Resources

Resource Name Purpose
Microsoft.Compute/diskEncryptionSets des-cmk Disk Encryption Set with system-assigned identity for Key Vault access
Microsoft.KeyVault/vaults kv-cmk Key Vault with RBAC authorization for DES key access

AZ-DES-003

Enable automatic key rotation to latest key version

Severity: Required
Rationale: Manual key rotation risks service disruption if keys expire; automatic rotation ensures continuity
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.Compute/diskEncryptionSets

AZ-DES-004

Use EncryptionAtRestWithPlatformAndCustomerKeys for double encryption

Severity: Recommended
Rationale: Double encryption uses both platform-managed and customer-managed keys for defense in depth
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer

Targets

  • Microsoft.Compute/diskEncryptionSets

Companion Resources

Resource Name Purpose
Microsoft.KeyVault/vaults kv-cmk Key Vault with purge protection for double-encryption keys
Microsoft.KeyVault/vaults/keys des-double-enc-key RSA encryption key for platform-and-customer double encryption

Home

Getting Started

Stages

Interfaces

Configuration

Agent System

Features

Quality

Help

Governance

Policies — Azure

AI Services

Compute

Data Services

Identity

Management

Messaging

Monitoring

Networking

Security

Storage

Web & App

Policies — Well-Architected

Reliability

Security

Cost Optimization

Operational Excellence

Performance Efficiency

Integration

Anti-Patterns
Standards

Application

IaC

Principles

Transforms

Clone this wiki locally