last sync: 2021-May-14 16:08:20 UTC

Azure Policy definition

SQL managed instances should use customer-managed keys to encrypt data at rest

Name SQL managed instances should use customer-managed keys to encrypt data at rest
Azure Portal
Id 048248b0-55cd-46da-b1ff-39efd52db260
Version 1.0.2
details on versioning
Category SQL
Microsoft docs
Description Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2020-12-11 15:42:52 change Patch (1.0.1 > 1.0.2) *changes on text case sensitivity are not tracked
Used in Initiatives
Initiative DisplayName Initiative Id Initiative Category State
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated
[Preview]: CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance Preview
[Preview]: CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance Preview
Azure Security Benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA
JSON Changes

JSON
{
  "properties": {
    "displayName": "SQL managed instances should use customer-managed keys to encrypt data at rest",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.",
    "metadata": {
      "version": "1.0.2",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/managedInstances"
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/managedInstances/encryptionProtector",
          "name": "current",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Sql/managedInstances/encryptionProtector/serverKeyType",
                "equals": "AzureKeyVault"
              },
              {
                "field": "Microsoft.Sql/managedInstances/encryptionProtector/uri",
                "notEquals": ""
              },
              {
                "field": "Microsoft.Sql/managedInstances/encryptionProtector/uri",
                "exists": "true"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "048248b0-55cd-46da-b1ff-39efd52db260"
}