AzPolicyAdvertizer

last sync: 2021-Jan-15 16:07:21 UTC

Azure Policy definition

SQL servers should use customer-managed keys to encrypt data at rest

Name SQL servers should use customer-managed keys to encrypt data at rest
Azure Portal
Id 0d134df8-db83-46fb-ad72-fe0c9428c8dd
Version 2.0.1
details on versioning
Category SQL
Microsoft docs
Description Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2020-12-11 15:42:52 change Major (1.0.0 > 2.0.1)
Used in Initiatives
Initiative DisplayName Initiative Id Initiative Category State
[Preview]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Preview
[Preview]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Preview
CIS Microsoft Azure Foundations Benchmark 1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA
Enable Monitoring in Azure Security Center 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA
JSON Changes

Json 
{
  "properties": {
    "displayName": "SQL servers should use customer-managed keys to encrypt data at rest",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.",
    "metadata": {
      "version": "2.0.1",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/servers"
          },
          {
            "field": "kind",
            "notContains": "analytics"
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Sql/servers/encryptionProtector",
          "name": "current",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Sql/servers/encryptionProtector/serverKeyType",
                "equals": "AzureKeyVault"
              },
              {
                "field": "Microsoft.Sql/servers/encryptionProtector/uri",
                "notEquals": ""
              },
              {
                "field": "Microsoft.Sql/servers/encryptionProtector/uri",
                "exists": "true"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0d134df8-db83-46fb-ad72-fe0c9428c8dd"
}