rules/findings/azure/databases/azure_sql/azure-sql-lacks-data-encryption.json
|
{
"args": [], "provider": "Azure", "serviceType": "SQL Database", "serviceName": "Databases", "displayName": "Ensure that 'Data encryption' is set to 'On' on a SQL Database", "description": "Enable Transparent Data Encryption on every SQL server.", "rationale": "Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.", "impact": "", "remediation": { "text": " ##### Remediate From Azure Portal 1. Go to SQL databases 2. For each DB instance 3. Click on Transparent data encryption 4. Set Data encryption to On Remediate From Azure CLI Use the below command to enable Transparent data encryption for SQL DB instance. ", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-tde-overview?view=azuresql&tabs=azure-portal", "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-4-enable-data-at-rest-encryption-by-default", "https://learn.microsoft.com/en-us/powershell/module/az.sql/set-azsqldatabasetransparentdataencryption?view=azps-15.4.0&viewFallbackFrom=azps-9.2.0" ], "compliance": [ { "name": "CIS Microsoft Azure Database Services", "version": "2.0.0", "reference": "9.6", "profile": [ "Level 1" ] } ], "level": "medium", "tags": [], "rule": { "path": "az_sql_servers", "subPath": null, "selectCondition": { }, "query": [ { "filter": [ { "conditions": [ [ "databases.name", "ne", "master" ], [ "databases.tdeSettings.status", "ne", "Enabled" ] ], "operator": "and" } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "name": "Name", "location": "location", "resourceGroupName": "Resource Group Name" }, "expandObject": null }, "table": "default", "decorate": [], "emphasis": [], "actions": { "objectData": { "properties": [ "id", "name", "location", "databases" ], "expandObject": null, "limit": null }, "showGoToButton": "True", "showModalButton": "True", "directLink": null } }, "text": { "data": { "properties": { "name": "Name", "location": "location", "resourceGroupName": "Resource Group Name" }, "expandObject": null }, "status": { "keyName": ["name"], "message": "Ensure that 'Data encryption' is set to 'On' on a SQL Database for {name}", "defaultMessage": null }, "properties": { "resourceName": "name", "resourceId": "id", "resourceType": "type" }, "onlyStatus": false } }, "idSuffix": "azure_sql_database_data_encryption_disabled", "notes": [], "categories": [], "immutable_properties": [ "name", "id" ], "id": "azure_sql_006" } |