Skip to main content

πŸ›‘οΈ Azure SQL Server Transparent Data Encryption Protector is not encrypted with Customer-managed key🟒

  • Contextual name: πŸ›‘οΈ Server Transparent Data Encryption Protector is not encrypted with Customer-managed key🟒
  • ID: /ce/ca/azure/sql-database/server-transparent-data-encryption-protector-with-cmk
  • Tags:
  • Policy Type: BEST_PRACTICE
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-230b5e351

Description​

Open File

Description​

Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.

With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. Now, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Azure Key Vault. The Azure Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data for additional security.

Based on business needs or criticality of data/databases hosted on a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).

... see more

Remediation​

Open File

Remediation​

From Azure Console​

  1. Go to SQL servers.
  2. For each SQL server, under Security, click Transparent data encryption.
  3. Set Transparent data encryption to Customer-managed key.
  4. Select a key or enter a key identifier.
  5. Check Make this key the default TDE protector.
  6. Click Save.

From Azure CLI​

Use the below command to encrypt SQL server's TDE protector with a Customer-managed key:

az sql server tde-key set --resource-group <resourceName> --server <dbServerName> --server-key-type {AzureKeyVault} --kid <keyIdentifier>

From PowerShell​

Use the below command to encrypt SQL server's TDE protector with a Customer-managed Key Vault key:

Set-AzSqlServerTransparentDataEncryptionProtector -Type AzureKeyVault -KeyId <KeyIdentifier> -ServerName <ServerName> -ResourceGroupName <ResourceGroupName>

Select Y when prompted.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS Azure v1.1.0 β†’ πŸ’Ό 4.10 Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key)11no data
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 4.5 Ensure SQL server's TDE protector is encrypted with Customer-managed key - Level 2 (Automated)11no data
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 4.6 Ensure SQL server's TDE protector is encrypted with Customer-managed key - Level 2 (Automated)11no data
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key - Level 2 (Automated)11no data
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key - Level 2 (Automated)11no data
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key - Level 2 (Automated)11no data
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 5.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption44no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(4) Flow Control of Encrypted Information (H)2526no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)1911no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1724no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)514no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)11no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)124no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)14no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)11no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)124no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)14no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.2 Key management912no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.33 Protection of records1015no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-1: Data-at-rest is protected1530no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-2: Data-in-transit is protected1653no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected148no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected125no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains3032no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(14) Information Flow Enforcement _ Security or Privacy Policy Filter Constraints22no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31625no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1014no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-9 Manages Credentials for Infrastructure and Software34no data