lacework-global-540
4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database (Automated)
Profile Applicability
• Level 1
Description
Enable Transparent Data Encryption on every SQL server.
Rationale
Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.
Audit
From Azure Portal
- Go to
SQL databases
- For each DB instance
- Click on
Transparent data encryption
- Ensure that
Data encryption
is set toOn
From Azure CLI
Ensure the output of the below command is Enabled
az sql db tde show --resource-group <resourceGroup> --server <dbServerName> --database <dbName> --query status
From Azure Powershell
Get a list of SQL Servers.
Get-AzSqlServer
For each server, list the databases.
Get-AzSqlDatabase -ServerName <SQL Server Name> -ResourceGroupName <Resource Group Name>
For each database not listed as a Master
database, check for Transparent Data Encryption.
Get-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName <Resource Group Name> -ServerName <SQL Server Name> -DatabaseName <Database Name>
Make sure DataEncryption
is Enabled
for each database except the Master
database.
Remediation
From Azure Portal
- Go to
SQL databases
- For each DB instance
- Click on
Transparent data encryption
- Set
Data encryption
toOn
From Azure CLI
Use the below command to enable Transparent data encryption
for SQL DB instance.
az sql db tde set --resource-group <resourceGroup> --server <dbServerName> --database <dbName> --status Enabled
note
- TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases.
- Azure Portal does not show master databases per SQL server. However, CLI/API responses will show master databases.
References
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-enable-data-at-rest-encryption-by-default
Additional Information
- Transparent Data Encryption (TDE) can be enabled or disabled on individual
SQL Database
level and not on theSQL Server
level. - TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases.