Use disk encryption for Azure Data Explorer clusters

Security · Data Explorer · Rule · 2022_03 · Important

Use disk encryption for Azure Data Explorer (ADX) clusters.

Description

Azure storage is encrypted at rest, however computing resources can additionally use disk encryption. Disk encryption provides additional security for data at rest.

Recommendation

Consider enabling disk encryption on Azure Data Explorer clusters.

Examples

Configure with Azure template

To deploy clusters that pass this rule:

• Set properties.enableDiskEncryption to true.

For example:

Azure Template snippet

{
    "type": "Microsoft.Kusto/clusters",
    "apiVersion": "2021-08-27",
    "name": "[parameters('name')]",
    "location": "[parameters('location')]",
    "sku": {
        "name": "Standard_D11_v2",
        "tier": "Standard"
    },
    "identity": {
        "type": "SystemAssigned"
    },
    "properties": {
        "enableDiskEncryption": true
    }
}

Configure with Bicep

To deploy clusters that pass this rule:

• Set properties.enableDiskEncryption to true.

For example:

Azure Bicep snippet

resource adx 'Microsoft.Kusto/clusters@2021-08-27' = {
  name: name
  location: location
  sku: {
    name: 'Standard_D11_v2'
    tier: 'Standard'
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    enableDiskEncryption: true
  }
}

Links

• Data encryption in Azure
• Secure your cluster using Disk Encryption in Azure Data Explorer
• Azure deployment reference

Comments