Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key

Customer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azure's cloud-based external key management system is the first key management service where TDE has integrated support for Customer-managed keys. With Customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server.

Risk Level: Low
Cloud Entity: SQL Server on Virtual Machines
CloudGuard Rule ID: D9.AZU.CRY.14
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

SQLServer should have encryptionProtectors contain [ serverKey.serverKeyType='AzureKeyVault' ]

REMEDIATION

From Portal

  1. Sign on to Azure portal and navigate to 'SQL servers'.
  2. For each server instance, go to 'Transparent data encryption'.
  3. Set 'Transparent data encryption' to 'Customer-managed key'.
  4. Browse through your key vaults to Select an existing key or create a new key in the Azure Key Vault.
  5. Check 'Make selected key the default TDE protector'.
  6. Click Save.

From TF
Set the 'key_vault_key_id' argument under 'azurerm_mssql_server_transparent_data_encryption' as below:

resource "azurerm_mssql_server_transparent_data_encryption" "example" {
	..
	server_id        = "azurerm_mssql_server.example.id"
	key_vault_key_id = "azurerm_key_vault_key.example.id"
	..
}

From Command Line
Run below command to encrypt SQL server's TDE protector with a Customer-managed key:

az sql server tde-key set --resource-group RESOURCEGROUP --server SERVERNAME --server-key-type AzureKeyVault --kid KEYIDENTIFIER

References

  1. https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql&viewFallbackFrom=sql-server-ver16
  2. https://azure.microsoft.com/en-in/blog/preview-sql-transparent-data-encryption-tde-with-bring-your-own-key-support/
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server_transparent_data_encryption#example-usage-with-customer-managed-key
  4. https://learn.microsoft.com/en-us/cli/azure/sql/server/tde-key?view=azure-cli-latest#az-sql-server-tde-key-set

SQL Server on Virtual Machines

SQL Server on Azure virtual machines enables you to use full versions of SQL Server in the Cloud without having to manage any on-premises hardware. SQL Server VMs also simplify licensing costs when you pay as you go.

Azure virtual machines run in many different geographic regions around the world. They also offer a variety of machine sizes. The virtual machine image gallery allows you to create a SQL Server VM with the right version, edition, and operating system. This makes virtual machines a good option for a many different SQL Server workloads.

Compliance Frameworks

  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset