Data encryption on SQL Database Server should be enabled

azure.sql

Warning: This rule will be deprecated 18 December 2023 as part of the update to Azure CIS version 2.0.0

Description

Enable Transparent Data Encryption on every SQL server.

Rationale

Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

Remediation

From the console

  1. Go to SQL databases
  2. For each DB instance
  3. Click on Transparent data encryption
  4. Set Data encryption to On using the Azure Command Line Interface
  5. Use the below command to enable Transparent data encryption for SQL DB instance:
--resource-group <resourceGroup> --server <dbServerName> --database <dbName> --status

Note: TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases. Azure Portal does not show master databases per SQL server. However, CLI/API responses will show master databases.

References

  1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database
  2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest