Loading source
Pulling the file list, source metadata, and syntax-aware rendering for this listing.
Source from repo
Get Azure VM and VM Scale Set recommendations based on workload, performance, and budget needs.
Files
Skill
Size
Entrypoint
Format
Open file
Syntax-highlighted preview of this file as included in the skill package.
workflows/vm-creator/references/depth-probe/security-deep.md
1# Security-deep branch2| Topic | Question | Default |4|---|---|---|5| Managed identity | "System-assigned managed identity?" | `true` (off by default in raw `az vm create`, but we recommend on) |6| Encryption at host | "Encryption at host?" | `true` (requires subscription opt-in — flag if not enabled) |7| Disk encryption set | "Customer-managed key (CMK) on OS disk?" | Skip unless compliance mentioned |8| Confidential VM | "Confidential compute (AMD SEV-SNP)?" | Only if user mentioned `confidential` / `attestation` |9| JIT access | "Enable Just-In-Time RDP/SSH (Defender for Cloud)?" | Offer if subscription has Defender plan |10| Boot diagnostics | "Managed boot diagnostics?" | `true` (Azure-managed storage) |11| Vulnerability scanning | "Enable Defender for Servers Plan 2?" | Mention; do not auto-enable (incurs cost) |12## Notes14- Encryption-at-host needs the subscription feature flag `EncryptionAtHost` registered — check via `az feature show` and surface a remediation step if not.16- CMK setup is multi-resource (Key Vault + Disk Encryption Set + RBAC); for first-time users, suggest scaffolding via the `azure-prepare` skill instead.17- JIT access is per-VM and per-port; default to 3-hour windows on 22/3389, not the wider "all common ports" preset.18