Skip to main content

πŸ“ Azure SQL Database Transparent Data Encryption is not enabled 🟒

  • Contextual name: πŸ“ Database Transparent Data Encryption is not enabled 🟒
  • ID: /ce/ca/azure/sql-database/database-transparent-data-encryption
  • Located in: πŸ“ Azure SQL Database

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-2fcb6d852

Logic​

Description​

Open File

Description​

Enable Transparent Data Encryption on every SQL server.

Rationale​

Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

Audit​

From Azure Portal​
  1. Go to SQL databases.
  2. For each DB instance, under Security, click Data Encryption.
  3. Under Transparent data encryption, ensure that Data encryption is set to On.
From Azure CLI​

Ensure the output of the below command is Enabled:

az sql db tde show --resource-group <resourceGroup> --server <dbServerName> --database <dbName> --query status
From PowerShell​

Get a list of SQL Servers:

Get-AzSqlServer

For each server, list the databases:

Get-AzSqlDatabase -ServerName <SQL Server Name> -ResourceGroupName <Resource Group Name>

For each database not listed as a Master database, check for Transparent Data Encryption:

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Go to SQL databases.
  2. For each DB instance, under Security, click Data Encryption.
  3. Under Transparent data encryption, set Data encryption to On.
  4. Click Save.

From Azure CLI​

Use the below command to enable Transparent data encryption for SQL DB instance:

az sql db tde set --resource-group <resourceGroup> --server <dbServerName> --database <dbName> --status Enabled

From PowerShell​

Use the below command to enable Transparent data encryption for SQL DB instance:

Set-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName <Resource Group Name> -ServerName <SQL Server Name> -DatabaseName <Database Name> -State 'Enabled'

Note:

  • TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases.
  • Azure Portal does not show master databases per SQL server. However, CLI/API responses will show master databases.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database - Level 1 (Automated)1
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 5.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption31
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)16
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3747
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)16
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.15 Access control1416
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(1) Account Management _ Automated System Account Management416
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.2 Prevent access to the administrative interface from the internet3537
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 2.1.2 Change any default or guessable account passwords23
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 4.2.2 Use technical controls to manage the quality of passwords.23
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 4.2.4 The password element of the multi-factor authentication23