Automation Account Variable Encryption

[jemartinez-blm]

Hello,

My team is working to apply NIST SP 800-53 R5 controls to our Azure environment. One of the controls requires all Automation account variables to be encrypted. The current deployment of the Optimization Engine only encrypts a few of the variables. Is there any way to encrypt the rest of them? Would we have to redeploy the entire tool? Also, I did not see any options in the deployment parameters to encrypt all of the variables.

[helderpinto]

@jemartinez-blm, AOE deployment does not offer a deployment option for encrypting all its variables; the only variables that are encrypted by default are the ones that contain sensitive information. For the other variables, as they are used to customize the behavior of AOE, you'd have to document the value of each of them prior encryption, so that you're able to understand the impact of the current value in case you need to modify it later. After encryption, you'll have a lot of trouble to know what is the current value of each variable, unless it was previously documented. Things such as the threshold for VM right-size CPU percentage or the currency code used to get retail prices would become hidden to you when checking how AOE is configured. These variables do not contain sensitive information and would become hardly usable by the end-user if encrypted and not documented.

For the reasons above, I do not recommend encrypting the vast majority of those variables. Nevertheless, if you cannot exempt AOE from NIST SP 800-53 R5 compliance, then you'd have to recreate all those variables, because Azure Automation does not support changing the encryption state of an existing variable. You must iterate over each variable, store its value in memory, and then recreate it with Encrypted as true.