This article is contributed. See the original author and article here.
Encryption of Azure VM disk is a vast topic and an important one. Especially if you are a bank then your info security team is going to run behind it. I have been working with few leading banks in India and encryption of Azure VM disk is one of the longest discussed topic, I experienced in recent times.
While you encrypt the disk of Azure VM using either “Storage [Server] side encryption” or “Azure Disk Encryption”; security teams are always in fear of one question –
“What if someone downloads my VHD from Azure portal? How do I protect my data?”
Well this blog is an answer to above question! So Let us start with some background on encryption and understand why customers or security teams may ask to block the VHD download.
Why security team need to block VHD Download?
Encryption of Azure VM disk is possible in two ways –
- Server Side Encryption
- Azure Disk Encryption
Server side encryption [a.k.a. Storage Side Encryption – hereafter referred as SSE] should suffice the organization security needs in most of the cases.
The most common question I have seen is below –
Question: If my Azure VM is encrypted using SSE and I download the VHD. Then using this VHD if we create a VM will it be encrypted and data on it will be non readable?
Answer: No. As soon as the data leaves the boundary of underlying storage, it is decrypted. Hence if you provision VM vhd or data disk vhd after download, the data will be readable.
Reference blog post mentioning this is here – https://www.sanganakauthority.com/2020/01/azure-vm-disk-encryption-storage-side.html.
This triggers the requirement of “why we want to restrict Azure VM VHD download?”.
This way customer organization can avoid Azure Disk Encryption using Bitlocker or DMCrypt [hereafter referred as ADE] and especially avoid complexities involved in the implementation and management. Here I am not saying ADE is bad. It is still best way to encrypt. However if customer is interested in avoiding operational overheads in ADE, then SSE is really handy.
If SSE is used then after download of Azure VM VHD, the data theft may not be avoided. Therefore it becomes necessary for extra sensitive data VHD’s; to block download from Azure portal completely.
How do I block Azure VM VHD download?
It would have been really easy if we can put up an “Azure Policy” at the subscription level to block the VHD download. Unfortunately there is no such policy inbuilt. We can build custom policy and I have already tried it.
Important aspect for policy is about having an “Action” in policy. However “Actions” in Azure policy is a legacy syntax and as of today it supports only “write” action.
For VHD download we will have to use “Action” equals to “Microsoft.Compute/disks/beginGetAccess/action” which is not a write action and hence we can’t achieve this using Azure policy. I think “Actions” suits better in RBAC section as they reflect permissions for users to execute certain action. Hence we will need to implement “block VHD download” using RBAC.
Implementing RBAC for restricting Azure VHD download
The download permissions on the Azure VM disk is assigned through RBAC setting “Microsoft.Compute/disks/beginGetAccess/action”. So if we restrict this access in an Azure custom role we should be able to achieve “restrict Azure VM disk download” option .
To define an Azure custom role it is always a good start to use any existing Azure built in role. For our requirement “Contributor” roles seems to be best fit. I found out contributor role as shown below from Azure portal. To create custom role with “VHD download deny” permission; clone this role as shown below –
On the basic information of Clone windows, enter information as shown below. “Custom role name” can be of your choice. Then click on Next.
You will see Permissions tab with first permission with “*”. Means Contributor role has almost all operations access on Azure portal. Except that Contributor can’t assign a role to any other user.
On the permissions tab itself we will need to “deny VHD download” option. Therefore on Permissions tab click on “Exclude Permissions” as shown below –
Then search for “disk” and select Compute resource provider as shown below –
Under Microsoft.Compute permissions screen search for option “Other : Get Disk SAS URI” under Microsoft.Compute/disks as shown below. Select the checkbox against it and click on Add.
After this you will see an action “Microsoft.Compute/disks/beginGetAccess/action” is added in NotAction as shown below –
Then click on “Review + Create” option and then click on “Create” to have this role created under your subscription. You can find this role as below to check if role addition is successful.
Then click on “add” to assign this custom role to a user of your choice.
Verifying of denying Azure VM VHD download
After successful role assignment, login to Azure portal with the user who has assigned the custom role. Open any Virtual Machine from the portal and go to Disks -> Click on OS disk Name. the click on “Disk Export” option and click on Generate URL button. This button actually generates the SAS URL which can be used to download Azure VM disk from Azure portal.
When we click on “Generate URL” button, you will find that download vhd is no more allowed as shown below –
This is how you can restrict Azure VM disk download from the Azure portal using custom RBAC.
Hope this post will help you to satisfy your security requirement and help you settle with SSE disk encryption.
If you are more interested to know about Azure Disk encryption frequently asked real world questions then visit here.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.