Use SQL database TDE#
Security · SQL Database · Rule · 2020_06 · Critical
Use Transparent Data Encryption (TDE) with Azure SQL Database.
Description#
TDE helps protect Azure SQL Databases against malicious offline access by encrypting data at rest. SQL Databases perform real-time encryption and decryption of the database, backups, and log files. Encryption is perform at rest without requiring changes to the application.
By default, TDE is enabled for all user-defined databases.
Recommendation#
Consider enabling Transparent Data Encryption (TDE) for Azure SQL Databases to perform encryption at rest.
Examples#
Configure with Azure template#
To deploy databases that pass this rule:
- Configure a
Microsoft.Sql/servers/databases/transparentDataEncryption
sub-resource.- Set the
properties.state
toEnabled
.
- Set the
For example:
Azure Template snippet
{
"type": "Microsoft.Sql/servers/databases/transparentDataEncryption",
"apiVersion": "2023-08-01-preview",
"name": "[format('{0}/{1}/{2}', parameters('name'), parameters('name'), 'current')]",
"properties": {
"state": "Enabled"
},
"dependsOn": [
"[resourceId('Microsoft.Sql/servers/databases', parameters('name'), parameters('name'))]"
]
}
Configure with Bicep#
To deploy databases that pass this rule:
- Configure a
Microsoft.Sql/servers/databases/transparentDataEncryption
sub-resource.- Set the
properties.state
toEnabled
.
- Set the
For example:
Azure Bicep snippet
resource tde 'Microsoft.Sql/servers/databases/transparentDataEncryption@2023-08-01-preview' = {
parent: database
name: 'current'
properties: {
state: 'Enabled'
}
}
Configure with Azure CLI#
Azure CLI snippet
az sql db tde set --status Enabled -s '<server_name>' -d '<database>' -g '<resource_group>'
Configure with Azure PowerShell#
Azure PowerShell snippet
Set-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName '<resource_group>' -ServerName '<server_name>' -DatabaseName '<database>' -State Enabled
Configure with Azure Policy#
To address this issue at runtime use the following policies:
- Transparent Data Encryption on SQL databases should be enabled
/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12
- Deploy SQL DB transparent data encryption
/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f