Skip to main content

πŸ›‘οΈ Azure SQL Database Transparent Data Encryption is not enabled🟒

  • Contextual name: πŸ›‘οΈ Database Transparent Data Encryption is not enabled🟒
  • ID: /ce/ca/azure/sql-database/database-transparent-data-encryption
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-2fcb6d852

Description​

Open File

Description​

Enable Transparent Data Encryption on every SQL server.

Rationale​

Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

Audit​

From Azure Portal​
  1. Go to SQL databases.
  2. For each DB instance, under Security, click Data Encryption.
  3. Under Transparent data encryption, ensure that Data encryption is set to On.
From Azure CLI​

Ensure the output of the below command is Enabled:

az sql db tde show --resource-group <resourceGroup> --server <dbServerName> --database <dbName> --query status
From PowerShell​

Get a list of SQL Servers:

Get-AzSqlServer

For each server, list the databases:

Get-AzSqlDatabase -ServerName <SQL Server Name> -ResourceGroupName <Resource Group Name>

For each database not listed as a Master database, check for Transparent Data Encryption:

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Go to SQL databases.
  2. For each DB instance, under Security, click Data Encryption.
  3. Under Transparent data encryption, set Data encryption to On.
  4. Click Save.

From Azure CLI​

Use the below command to enable Transparent data encryption for SQL DB instance:

az sql db tde set --resource-group <resourceGroup> --server <dbServerName> --database <dbName> --status Enabled

From PowerShell​

Use the below command to enable Transparent data encryption for SQL DB instance:

Set-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName <Resource Group Name> -ServerName <SQL Server Name> -DatabaseName <Database Name> -State 'Enabled'

Note:

  • TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases.
  • Azure Portal does not show master databases per SQL server. However, CLI/API responses will show master databases.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database - Level 1 (Automated)1no data
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 5.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption44no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)18no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3768no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)68no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)18no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)68no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.15 Access control1431no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(1) Account Management _ Automated System Account Management418no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.1-1 Uses Defined Configuration Standards45no data
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.2 Prevent access to the administrative interface from the internet3638no data
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 2.1.2 Change any default or guessable account passwords23no data
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 4.2.2 Use technical controls to manage the quality of passwords.23no data
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 4.2.4 The password element of the multi-factor authentication23no data