Azure SQL Managed Instance must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-276238 | SRG-APP-000429-DB-000387 | MSQL-00-003400 | SV-276238r1150056_rule | 2025-10-07 | 1 |
| Description |
|---|
| Azure SQL Managed Instance handling data requiring data-at-rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. |
| ℹ️ Check |
|---|
| Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. Review the configuration of the Azure SQL Managed Instance to ensure data-at-rest protections are implemented. If any of the information defined as requiring cryptographic protection from modification is not encrypted in a manner that provides the required level of protection, this is a finding. Use the query below to check the encryption status for each database. If any databases have an is_encrypted status of "0", this is a finding. SELECT [name] AS DatabaseName,is_encrypted FROM master.sys.databases WHERE database_id > 4; |
| ✔️ Fix |
|---|
| For any database with an is_encrypted status of "0", use the query below to enable transparent data encryption: ALTER DATABASE [Database Name Here] SET ENCRYPTION ON; |