Control: 5.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database
Description
Enable Transparent Data Encryption on every SQL server.
Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.
Remediation
From Azure Portal
- Go to
SQL databases. - For each DB instance, under
Security, clickData Encryption. - Under
Transparent data encryption, setData encryptiontoOn. - Click
Save.
From Azure CLI
Use the below command to enable Transparent data encryption for SQL DB instance.
az sql db tde set --resource-group <resourceGroup> --server <dbServerName> --database <dbName> --status Enabled
From PowerShell
Use the below command to enable Transparent data encryption for SQL DB instance.
Set-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName <Resource Group Name> -ServerName <SQL Server Name> -DatabaseName <Database Name> -State 'Enabled'
Note:
TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases.
Azure Portal does not show master databases per SQL server. However, CLI/API responses will show master databases.
Default Value
By default, Data encryption is set to On.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v300_5_1_5Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v300_5_1_5 --shareSQL
This control uses a named query:
sql_database_transparent_data_encryption_enabled