Loading source
Pulling the file list, source metadata, and syntax-aware rendering for this listing.
Source from repo
Select, configure, and scale Azure compute resources—VMs, App Service, AKS, and Container Apps
Files
Skill
Size
Entrypoint
Format
Open file
Syntax-highlighted preview of this file as included in the skill package.
workflows/vm-creator/references/depth-probe/security-deep.md
1# Security-deep branch2| Topic | Question | Default |4|---|---|---|5| Managed identity | "System-assigned managed identity?" | `true` (off by default in raw `az vm create`, but we recommend on) |6| Encryption at host | "Encryption at host?" | `true` (requires subscription opt-in — flag if not enabled) |7| Disk encryption set | "Customer-managed key (CMK) on OS disk?" | Skip unless compliance mentioned |8| Confidential VM | "Confidential compute (AMD SEV-SNP)?" | Only if user mentioned `confidential` / `attestation` |9| JIT access | "Enable Just-In-Time RDP/SSH (Defender for Cloud)?" | Offer if subscription has Defender plan |10| Boot diagnostics | "Managed boot diagnostics?" | `true` (Azure-managed storage) |11| Vulnerability scanning | "Enable Defender for Servers Plan 2?" | Mention; do not auto-enable (incurs cost) |12## Notes14- Encryption-at-host needs the subscription feature flag `EncryptionAtHost` registered — check via `az feature show` and surface a remediation step if not.16- CMK setup is multi-resource (Key Vault + Disk Encryption Set + RBAC); for first-time users, suggest scaffolding via the `azure-prepare` skill instead.17- JIT access is per-VM and per-port; default to 3-hour windows on 22/3389, not the wider "all common ports" preset.18