The Azure Data Explorer cluster is not configured to enforce disk encryption at rest. The azurerm_kusto_cluster resource in iac/main.tf does not set disk_encryption_enabled = true, which may leave data stored on the cluster’s disks insufficiently protected if the underlying storage is accessed outside normal application controls.

This can expose sensitive analytics, telemetry, logs, query data, or operational records to unauthorised disclosure in the event of infrastructure compromise, misconfigured access, insider misuse, or direct access to the backing storage layer. Encryption at rest should be explicitly enabled for services that store sensitive or business-critical data so that raw disk contents remain protected even if other access controls fail.

Remediation

Enable disk encryption for the Azure Data Explorer cluster by setting disk_encryption_enabled = true in the azurerm_kusto_cluster Terraform resource. Where appropriate, use well-managed encryption keys, follow Azure key management best practices, and ensure encryption settings are validated through infrastructure-as-code security tests before deployment.