AzPolicyAdvertizer

last sync: 2025-Jul-10 17:22:57 UTC

[Deprecated]: SQL servers should use customer-managed keys to encrypt data at rest

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

[Deprecated]: SQL servers should use customer-managed keys to encrypt data at rest

0d134df8-db83-46fb-ad72-fe0c9428c8dd

Version

2.0.1-deprecated
Details on versioning

Versioning

Versions supported for Versioning: 1
2.0.1 (2.0.1-deprecated)
Built-in Versioning [Preview]

Category

SQL
Microsoft Learn

Description

This policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8 instead.

Cloud environments

AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown

Available in AzUSGov

Unknown, no evidence if Policy definition is/not available in AzureUSGovernment

Assessment(s)

Assessments count: 1
Assessment Id: 1a93e945-3675-aef6-075d-c661498e1046
DisplayName: [Enable if required] SQL servers should use customer-managed keys to encrypt data at rest
Description: Using customer-managed keys for encrypting data at rest provides increased transparency, control, and security.
This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements.
If not enabled, the data will be encrypted using platform-managed keys.
This is particularly relevant for organizations with related compliance requirements.
To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope.

Remediation description: To configure your own encryption key for SQL Server Transparent Data encryption: 1. Select the SQL server. 2. On the Transparent data encryption page, select Customer-managed key. 3. For Key selection method, choose Select a key or Enter a key identifier if you have one. 4. If you chose Select a key, configure the desired Key vault and Key. For more information, see this article: https://docs.microsoft.com/azure/sql-database/transparent-data-encryption-byok-azure-sql
Categories: Data
Severity: Low
preview: True

Mode

Indexed

Type

BuiltIn

Preview

False

Deprecated

True

Reference

Reference to 1 related Policy definition (taken from description)
SQL servers should use customer-managed keys to encrypt data at rest (0a370ff3-6cab-4e85-8995-295fd854c5b8)

Effect

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

RBAC role(s)

none

Rule aliases

THEN-ExistenceCondition (2)

Alias	Namespace	ResourceType	Path	PathIsDefault	DefaultPath	Modifiable
Microsoft.Sql/servers/encryptionProtector/serverKeyType	Microsoft.Sql	servers/encryptionProtector	properties.serverKeyType	True		False
Microsoft.Sql/servers/encryptionProtector/uri	Microsoft.Sql	servers/encryptionProtector	properties.uri	True		False

Rule resource types

IF (1)

Microsoft.Sql/servers

Compliance

The following 8 compliance controls are associated with this Policy definition '[Deprecated]: SQL servers should use customer-managed keys to encrypt data at rest' (0d134df8-db83-46fb-ad72-fe0c9428c8dd)

Control Domain	Control	Name	MetadataId	Category	Title	Owner	Requirements	Description	Policy#
DORA_2022_2554	9.3b	DORA_2022_2554_9.3b	DORA 2022 2554 9.3b	9	Minimize Risks of Data Corruption and Loss in ICT Processes	Shared	n/a	Implement information and communication technology (ICT) processes that minimize the risk of data corruption or loss, unauthorized access, and technical flaws that may disrupt business activities.	35
DORA_2022_2554	9.3c	DORA_2022_2554_9.3c	DORA 2022 2554 9.3c	9	Prevent Data Availability and Integrity Issues in ICT Systems	Shared	n/a	Implement measures in information and communication technology (ICT) to prevent issues related to data availability, authenticity, integrity, confidentiality breaches, and data loss.	58
K_ISMS_P_2018	2.10.1	K_ISMS_P_2018_2.10.1	K ISMS P 2018 2.10.1	2.10	Establish Procedures for Managing the Security of System Operations	Shared	n/a	Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions.	408
K_ISMS_P_2018	2.10.2	K_ISMS_P_2018_2.10.2	K ISMS P 2018 2.10.2	2.10	Establish Protective Measures for Administrator Privileges and Security Configurations	Shared	n/a	Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations.	385
K_ISMS_P_2018	2.10.4	K_ISMS_P_2018_2.10.4	K ISMS P 2018 2.10.4	2.10	Establish Protective Measures when Working with Electronic Transactions or Fintech Services	Shared	n/a	Establish and implement protective measures such as authentication and encryption to prevent information leakage, data alteration, or fraud when working with electronic transactions and Fintech services. In the event connections to external systems are required, safety must be checked.	43
K_ISMS_P_2018	2.7.1b	K_ISMS_P_2018_2.7.1b	K ISMS P 2018 2.7.1b	2.7	Ensure Data is Encrypted at Rest and In-Transit	Shared	n/a	Ensure data is encrypted when storing and transmitting personal and important information.	68
K_ISMS_P_2018	2.7.2	K_ISMS_P_2018_2.7.2	K ISMS P 2018 2.7.2	2.7	Establish Encryption Key Management Procedures	Shared	n/a	Establish and implement procedures for securely creating, using, storing, distributing, and destroying encryption keys. Additionally, establish and implement procedures for recovering encryption keys, if necessary.	48
K_ISMS_P_2018	3.4.3	K_ISMS_P_2018_3.4.3	K ISMS P 2018 3.4.3	3.4	Implement Measure to Protect the Personal Information of Dormant Users	Shared	n/a	Implement measures to protect the personal information of dormant users including notification of relevant matters, or disposal of storage of personal information.	31

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State	Type	polSet in AzUSGov
DORA 2022 2554	f9c0485f-da8e-43b5-961e-58ebd54b907c	Regulatory Compliance	GA	BuiltIn	unknown
K ISMS P 2018	e0782c37-30da-4a78-9f92-50bfe7aa2553	Regulatory Compliance	GA	BuiltIn	unknown

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2021-12-06 22:17:57	change	Version remains equal, new suffix: deprecated (2.0.1 > 2.0.1-deprecated)
2020-12-11 15:42:52	change	Major (1.0.0 > 2.0.1)

JSON compare

compare mode: version left: version right:

JSON

api-version=2021-06-01
EPAC