Use SQL database TDE

Security · SQL Database · Rule · 2020_06 · Critical

Use Transparent Data Encryption (TDE) with Azure SQL Database.

Description

TDE helps protect Azure SQL Databases against malicious offline access by encrypting data at rest. SQL Databases perform real-time encryption and decryption of the database, backups, and log files. Encryption is perform at rest without requiring changes to the application.

By default, TDE is enabled for all user-defined databases.

Recommendation

Consider enabling Transparent Data Encryption (TDE) for Azure SQL Databases to perform encryption at rest.

Examples

Configure with Azure template

To deploy databases that pass this rule:

• Configure a Microsoft.Sql/servers/databases/transparentDataEncryption sub-resource.
  • Set the properties.state to Enabled.

For example:

Azure Template snippet

{
  "type": "Microsoft.Sql/servers/databases/transparentDataEncryption",
  "apiVersion": "2023-08-01-preview",
  "name": "[format('{0}/{1}/{2}', parameters('name'), parameters('name'), 'current')]",
  "properties": {
    "state": "Enabled"
  },
  "dependsOn": [
    "[resourceId('Microsoft.Sql/servers/databases', parameters('name'), parameters('name'))]"
  ]
}

Configure with Bicep

To deploy databases that pass this rule:

• Configure a Microsoft.Sql/servers/databases/transparentDataEncryption sub-resource.
  • Set the properties.state to Enabled.

For example:

Azure Bicep snippet

resource tde 'Microsoft.Sql/servers/databases/transparentDataEncryption@2023-08-01-preview' = {
  parent: database
  name: 'current'
  properties: {
    state: 'Enabled'
  }
}

Configure with Azure CLI

Azure CLI snippet

az sql db tde set --status Enabled -s '<server_name>' -d '<database>' -g '<resource_group>'

Configure with Azure PowerShell

Azure PowerShell snippet

Set-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName '<resource_group>' -ServerName '<server_name>' -DatabaseName '<database>' -State Enabled

Configure with Azure Policy

To address this issue at runtime use the following policies:

• Transparent Data Encryption on SQL databases should be enabled /providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12
• Deploy SQL DB transparent data encryption /providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f

Links

• SE:07 Encryption
• Transparent data encryption for SQL Database
• Azure deployment reference

Comments