AzPolicyAdvertizer

last sync: 2025-Apr-29 17:16:02 UTC

[Deprecated]: SQL managed instances should use customer-managed keys to encrypt data at rest

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

[Deprecated]: SQL managed instances should use customer-managed keys to encrypt data at rest

048248b0-55cd-46da-b1ff-39efd52db260

Version

1.0.2-deprecated
Details on versioning

Versioning

Versions supported for Versioning: 1
1.0.2 (1.0.2-deprecated)
Built-in Versioning [Preview]

Category

SQL
Microsoft Learn

Description

This policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 instead

Cloud environments

AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown

Available in AzUSGov

Unknown, no evidence if Policy definition is/not available in AzureUSGovernment

Assessment(s)

Assessments count: 1
Assessment Id: 06ac6ef4-1e66-1334-5418-6e79ab444ce0
DisplayName: [Enable if required] SQL managed instances should use customer-managed keys to encrypt data at rest
Description: Using customer-managed keys for encrypting data at rest provides increased transparency, control over the TDE Protector, enhanced security with an HSM-backed external service, and promotes separation of duties.
This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements.
If not enabled, the data will be encrypted using platform-managed keys.
This is particularly relevant for organizations with related compliance requirements.

Remediation description: To configure your own encryption key for SQL Server Transparent Data encryption: 1. Select the SQL server. 2. On the Transparent data encryption page, select Customer-managed key. 3. For Key selection method, choose Select a key or Enter a key identifier if you have one. 4. If you chose Select a key, configure the desired Key vault and Key. For more information, see this article: https://docs.microsoft.com/azure/sql-database/transparent-data-encryption-byok-azure-sql
Categories: Data
Severity: Low
preview: True

Mode

Indexed

Type

BuiltIn

Preview

False

Deprecated

True

Reference

Reference to 1 related Policy definition (taken from description)
SQL managed instances should use customer-managed keys to encrypt data at rest (ac01ad65-10e5-46df-bdd9-6b0cad13e1d2)

Effect

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

RBAC role(s)

none

Rule aliases

THEN-ExistenceCondition (2)

Alias	Namespace	ResourceType	Path	PathIsDefault	DefaultPath	Modifiable
Microsoft.Sql/managedInstances/encryptionProtector/serverKeyType	Microsoft.Sql	managedInstances/encryptionProtector	properties.serverKeyType	True		False
Microsoft.Sql/managedInstances/encryptionProtector/uri	Microsoft.Sql	managedInstances/encryptionProtector	properties.uri	True		False

Rule resource types

IF (1)

Microsoft.Sql/managedInstances

Compliance

Not a Compliance control

Initiatives usage

none

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2021-12-06 22:17:57	change	Version remains equal, new suffix: deprecated (1.0.2 > 1.0.2-deprecated)
2020-12-11 15:42:52	change	Patch (1.0.1 > 1.0.2)

JSON compare

compare mode: version left: version right:

JSON

api-version=2021-06-01
EPAC