1

I am trying to create a Deny policy to deny disk decryption (encrypted via Azure Disk Encryption), but the Deny isn't taking effect. I do see the disks not in compliance though.

Here's the policy below:

{

 "properties": {

    "displayName": "Prevent disk decryption on virtual machines",

    "policyType": "Custom",

    "mode": "All",

    "description": "VMs once encrypted, should not be allowed to be decrypted",

    "metadata": {

      "category": "Compute",

      "createdBy": "454393d8-e9f1-424d-8054-52d45c90cf6c",

      "createdOn": "2019-08-12T15:35:43.7697071Z",

      "updatedBy": "454393d8-e9f1-424d-8054-52d45c90cf6c",

      "updatedOn": "2019-08-12T18:41:36.6828893Z"

    },

    "parameters": {

      "effect": {

        "type": "String",

        "metadata": {

          "displayName": "Effect",

          "description": "Enable or disable the execution of the policy"

        },

        "allowedValues": [

          "Deny",

          "Disabled",

          "Audit"

        ],

        "defaultValue": "Deny"

      }

    },

    "policyRule": {

      "if": {

        "anyOf": [

          {

            "allOf": [

              {

                "field": "type",

                "equals": "Microsoft.Compute/disks"

              },

              {

                "field": "Microsoft.Compute/disks/encryptionSettingsCollection.enabled",

                "notequals": "true"

              }

            ]

          },

          {

            "allOf": [

              {

                "field": "type",

                "equals": "Microsoft.Compute/disks"

              },

              {

                "field": "Microsoft.Compute/disks/encryptionSettings.enabled",

                "notequals": "true"

              }

            ]

          },

          {

            "allOf": [

              {

                "field": "type",

                "equals": "Microsoft.Compute/virtualMachines"

              },

              {

                "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.encryptionSettings.enabled",

                "notequals": "true"

              }

            ]

          }

        ]

      },

      "then": {

        "effect": "[parameters('effect')]"

      }

    }

  },

  "type": "Microsoft.Authorization/policyDefinitions",

  "name": "ce6bfec6-c4db-46e0-a475-baf5b81063fc"

}

I see it as non-compliant, but the Deny doesn't take effect. I can still run "az vm encryption disable". Is Lock the way to go here? Any unexpected issues with using lock on VM OS and Data disks.

technogeek1995
  • 3,185
  • 2
  • 31
  • 52
VMTX
  • 11
  • 1
  • Welcome to SO! Can you edit your question to explain what method you are using to apply the policy? – technogeek1995 Aug 12 '19 at 20:05
  • I applied the policy as an initiative to the subscription. Also, I would want to add the the deny policy works when creating a new VM, but not when decrypting an existing VM. – VMTX Aug 15 '19 at 19:39

1 Answers1

0

Have you tried include the Microsoft.Compute/disks/encryption.type or Microsoft.Compute/disks/encryption aliases? In my existing resources that is the only alias that exist in relation to encryption.

Kemley
  • 184
  • 5