v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/azure_compliance
Overview
13Dashboards
1311Controls
430Queries
2Variables
GitHub

Control: 4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database

Description

It is recommended to enable Transparent Data Encryption on every SQL database. Azure SQL database transparent data encryption helps to protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups and transaction log files at rest without requiring changes to the application.

Transparent Data Encryption (TDE) can be enabled or disabled on individual SQL Database level and not on the SQL Server level. TDE cannot be used to encrypt the logical master database in SQL Database.

Default setting for Transparent data encryption is set to On.

Remediation

From Console

  1. Login to Azure console and navigate to SQL Databases.
  2. For each DB instance, go to Security section from left pane.
  3. Click on Transparent data encryption.
  4. Set Transparent data encryption to On.
  5. Click Save.

From Command Line

az sql db tde set --resource-group <resourceGroup> --server <dbServerName> -- database <dbName> --status Enabled

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v130_4_1_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v130_4_1_2 --share

SQL

This control uses a named query:

sql_database_transparent_data_encryption_enabled

Tags

category = Compliance
cis = true
cis_item_id = 4.1.2
cis_level = 1
cis_section_id = 4.1
cis_type = automated
cis_version = v1.3.0
plugin = azure
service = Azure/SQL