Virtual machines should utilize managed disks
Warning: This rule will be deprecated 18 December 2023 as part of the update to Azure CIS version 2.0.0
Description
Migrate blob-based VHDs to managed disks on virtual machines to exploit the default features of this configuration. The features include:
- Default disk encryption
- Resilience, as Microsoft manages the disk storage and moves it if underlying hardware is faulty
- Reduction of costs over storage accounts
Rationale
Managed disks are by default encrypted on the underlying hardware so no additional encryption is required for basic protection. Additional encryption is available if required. Managed disks are more resilient than storage accounts. For ARM deployed virtual machines, Azure Adviser recommends moving VHDs to managed disks from both a security and cost management perspective.
References
- https://docs.microsoft.com/en-us/azure/virtual-machines/windows/convert-unmanaged-to-managed-disks
- https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy
From the console
- Using the search feature, go to Virtual Machines
- Select the virtual machine you would like to convert
- Select Disks in the menu for the VM
- Select Migrate to managed disks
- Follow the prompts to convert the disk and finish by selecting Migrate to start the process
NOTE: VMs are stopped and restarted after migration is complete.
Using PowerShell
Stop-AzVM -ResourceGroupName $rgName -Name $vmName -Force ConvertTo-AzVMManagedDisk -ResourceGroupName $rgName -VMName $vmName Start-AzVM -ResourceGroupName $rgName -Name $vmName
Impact
There is no operational impact of migrating to managed disks other than the benefits mentioned above.
NOTE: When converting to managed disks, VMs are powered off and back on.
CIS Controls
Version 7 13 - Data Protection
