Rule ID
SV-276238r1150056_rule
Version
V1R1
CCIs
Azure SQL Managed Instance handling data requiring data-at-rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information.
Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. Review the configuration of the Azure SQL Managed Instance to ensure data-at-rest protections are implemented. If any of the information defined as requiring cryptographic protection from modification is not encrypted in a manner that provides the required level of protection, this is a finding. Use the query below to check the encryption status for each database. If any databases have an is_encrypted status of "0", this is a finding. SELECT [name] AS DatabaseName,is_encrypted FROM master.sys.databases WHERE database_id > 4;
For any database with an is_encrypted status of "0", use the query below to enable transparent data encryption: ALTER DATABASE [Database Name Here] SET ENCRYPTION ON;