Abstract
Encryption of Azure VM disk is a vast topic and an important one. Especially if you are a bank then your info security team is going to ensure that this recommendation is enforced without any exceptions. I have been working with a few leading banks in India and encryption of Azure VM disk is one of the longest discussed topic, that I have experienced in recent times.
While you encrypt the disk of Azure VM using either “Storage [Server] side encryption” or “Azure Disk Encryption”; security teams are always paranoid about the following point –
“What if someone downloads my VHD from Azure portal? How do I protect my data?”
Well this blog is an answer to above question! So Let us start with some background on encryption and understand why customers or security teams may ask to block the VHD download.
Why security team need to block VHD Download?
Encryption of Azure VM disk is possible in two ways –
- Server Side Encryption
- Azure Disk Encryption
Server side encryption [a.k.a. Storage Side Encryption – hereafter referred as SSE] should suffice the organization security needs in most of the cases.
The most common question I have seen is below –
Question: If my Azure VM is encrypted using SSE and if I download the VHD and map this VHD to a VM as OS or data disk, will the disk be encrypted and data on it non readable?
Answer: No. As soon as the data leaves the boundary of underlying storage, it is decrypted. Hence if you provision VM vhd or data disk vhd after download, the data will be readable.
Reference blog post mentioning this is here - https://www.sanganakauthority.com/2020/01/azure-vm-disk-encryption-storage-side.html.
This triggers the requirement of “Why do we want to restrict Azure VM VHD download?”.
This way customer organization can avoid Azure Disk Encryption using Bitlocker or DMCrypt [hereafter referred as ADE] and especially avoid complexities involved in the implementation and management. Here I am not saying ADE is bad. It is still best way to encrypt. However if customer is interested in avoiding operational overheads in ADE, then SSE is really handy.
If SSE is used then data theft is still possible if the downloaded VHD gets into the wrong hands. Therefore it becomes necessary necessary to completely block the download option from the Azure portal for extra sensitive data VHD’s.
How do I block Azure VM VHD download?
It would have been really easy if we can put up an “Azure Policy” at the subscription level to block the VHD download. Unfortunately there is no such in-built policy. We can go down the path of building a custom policy but I have already tried it, without success.
Important aspect for policy is about having an “Action” in policy. However “Actions” in Azure policy is a legacy syntax and as of today it supports only “write” action.
For VHD download we will have to use “Action” equals to “Microsoft.Compute/disks/beginGetAccess/action” which is not a write action and hence we can’t achieve this using Azure policy. I think “Actions” suits better in RBAC section as they reflect permissions for users to execute certain action. Hence we will need to implement “block VHD download” using RBAC.
Implementing RBAC for restricting Azure VHD download
The download permissions on the Azure VM disk is assigned through RBAC setting “Microsoft.Compute/disks/beginGetAccess/action”. So if we restrict this access in an Azure custom role we should be able to achieve “restrict Azure VM disk download” option .
To define an Azure custom role it is always a good start to use any existing Azure built in role. For our requirement “Contributor” roles seems to be best fit. I found out contributor role as shown below from Azure portal. To create custom role with “VHD download deny” permission; clone this role as shown below -
On the basic information of Clone windows, enter information as shown below. “Custom role name” can be of your choice. Then click on Next.
You will see Permissions tab with first permission with “*” which means that the Contributor role has access to almost all operations on Azure portal, except that the Contributor can’t assign a role to any other user.
On the permissions tab itself we will need to “deny VHD download” option. Therefore on Permissions tab click on “Exclude Permissions” as shown below –
Then search for “disk” and select Compute resource provider as shown below –
Under Microsoft.Compute permissions screen search for option “Other : Get Disk SAS URI” under Microsoft.Compute/disks as shown below. Select the checkbox against it and click on Add.
After this you will see an action “Microsoft.Compute/disks/beginGetAccess/action” is added in NotAction as shown below –
Then click on “Review + Create” option and then click on “Create” to have this role created under your subscription. You can find this role as below to check if role addition is successful.
Then click on “add” to assign this custom role to a user of your choice.
Verifying of denying Azure VM VHD download
After successful role assignment, login to Azure portal with the credentials of the user who has been assigned the custom role. Open any Virtual Machine from the portal and go to Disks -> Click on OS disk Name. the click on “Disk Export” option and click on Generate URL button. This button actually generates the SAS URL which can be used to download Azure VM disk from Azure portal.
But now when you click on “Generate URL” button, you will see an error message preventing you from generating SAS URL to download the vhd –
This is how you can restrict Azure VM disk download from the Azure portal using custom RBAC.
Conclusion
Hope this post helps you in improving the security posture by adding an extra layer of security over SSE disk encryption.
If you are more interested to know about Azure Disk encryption frequently asked real world questions then visit here.