Enable encryption at host for virtual machine scale sets and virtual machines #505
Conversation
…et and virtual machine.
| 3. Take a backup of these non-compliant resource types. | ||
| 4. Register 'Microsoft.Security' provider and enable Azure Defender plan for all non-compliant resource types for subscription. |
There was a problem hiding this comment.
already this line removed
| # Command to execute: | ||
| Examples: | ||
| 1. Run below command to configure Azure Defender for subscription |
| } | ||
|
|
||
| Write-Host $([Constants]::SingleDashLine) | ||
| $VirtualMachines = Get-AzVM -ResourceGroupName $ResourceGroupName |
There was a problem hiding this comment.
In the control logic, we are not considering all VM's, only VMSS and underlying VMs when the orchestration mode is flexible. BRS should be aligned with the control logic
| <########################################## | ||
| # Overview: | ||
| This script is used to Enable Encryption at Host for Virtual machine scale sets and Virtual machines. |
There was a problem hiding this comment.
make the comment more illustrated like - and underlying Virtual Machines in flexible mode
There was a problem hiding this comment.
updated comment
| # Safe Check: Current user needs to be either Contributor or Owner for the subscription | ||
| $currentLoginRoleAssignments = Get-AzRoleAssignment -SignInName $currentSub.Account.Id -Scope "/subscriptions/$($SubscriptionId)"; | ||
|
|
||
| if (($currentLoginRoleAssignments | Where { $_.RoleDefinitionName -eq "Owner" -or $_.RoleDefinitionName -eq 'Contributor' -or $_.RoleDefinitionName -eq "Security Admin" } | Measure-Object).Count -le 0) { |
There was a problem hiding this comment.
did you check for security admin role ? as this is role is not mentioned in the comments
Scripts/RemediationScripts/Remediate-EnableEncrytionAtHostForVMSS.ps1
Outdated
Show resolved
Hide resolved
Scripts/RemediationScripts/Remediate-EnableEncrytionAtHostForVMSS.ps1
Outdated
Show resolved
Hide resolved
| "InitCommand": "Enable-EncrytionAtHost", | ||
| "RollbackMetadata": { | ||
| "RollbackCommand": "Disable-EncrytionAtHost", | ||
| "Arguments": ["SubscriptionId", "Path"] |
There was a problem hiding this comment.
why Path is needed here?
There was a problem hiding this comment.
It's file path, where we backup the remediated resources list in .json file.
SO, when user want to rollback the operations, user need to give file Path as argument.
…mkar/remediation-enable-encryption-vm
This remediation script helps to enable encryption at host property for virtual machine scale sets and virtual machines on subscription. In case, after executing script, if you want to rollback the changes, you can rollback the earlier changes.