Security Center default policy setting "Monitor SQL Encryption" is not enabled Affecting Security Center service in Azure
Severity Framework
Snyk CCSS
Rule category
Monitoring / Data
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-Azure
CIS-Controls
CSA-CCM
GDPR
HIPAA
SOC-2
- Snyk ID SNYK-CC-00676
- credit Snyk Research Team
Description
When this setting is enabled, it recommends that encryption at rest be enabled for the Azure SQL Database, associated backups, and transaction log files. In the event of a data breach, it will not be readable.
How to fix?
Set policyDefinitionId to /providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12, and set enforcementMode to Default or remove the attribute.
Example Configuration
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "endpoint_676_allowed",
"properties": {
"displayName": "Azure Web Application Firewall should be enabled for Azure Front Door entry-points",
"description": "Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.",
"enforcementMode": "Default",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12"
}
}
]
}