Remediate AWS CIS v3.0 and v4.0 with Flowpipe's interactive wizard →
Flowpipe Hub 
Hub
standard
turbot/azure_cis
Overview
170
Pipelines
0
Triggers
5
VariablesGitHub

Pipeline: 5.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database

Description

Enable Transparent Data Encryption on every SQL server.

Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

Remediation

From Azure Portal

  1. Go to SQL databases.
  2. For each DB instance, under Security, click Data Encryption.
  3. Under Transparent data encryption, set Data encryption to On.
  4. Click Save.

From Azure CLI

Use the below command to enable Transparent data encryption for SQL DB instance.

az sql db tde set --resource-group <resourceGroup> --server <dbServerName> --database <dbName> --status Enabled

From PowerShell

Use the below command to enable Transparent data encryption for SQL DB instance.

Set-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName <Resource Group Name> -ServerName <SQL Server Name> -DatabaseName <Database Name> -State 'Enabled'

Note:

  • TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases.

  • Azure Portal does not show master databases per SQL server. However, CLI/API responses will show master databases.

Default Value

By default, Data encryption is set to On.

Run the pipeline

To run this pipeline from your terminal:

flowpipe pipeline run azure_cis.pipeline.cis_v300_5_1_5

Use this pipeline

To call this pipeline from your pipeline, use a step:

step "pipeline" "step_name" {
  pipeline = azure_cis.pipeline.cis_v300_5_1_5  
}

Params

NameTypeRequiredDescriptionDefault
database
connection.steampipe
YesDatabase connection string.connection.steampipe.default
notifier
notifier
YesThe name of the notifier to use for sending notification messages.notifier.default
notification_level
string
YesThe verbosity level of notification messages to send. Valid options are 'verbose', 'info', 'error'.info
approvers
list(notifier)
YesList of notifiers to be used for obtaining action/approval decisions.notifier.default

Outputs

This pipeline has no outputs.

Tags

folder = CIS v3.0.0/5 Database Services/5.1 Azure SQL Database