Beta - SQL Database Without Data Encryption

• Query id: 0745bb3f-60dc-43b6-90ae-67bb01fd1775
• Query name: Beta - SQL Database Without Data Encryption
• Platform: Terraform
• Severity: High
• Category: Encryption
• CWE: 312
• Risk score: 6.0
• URL: Github

Description

All 'azurerm_mssql_database' resources should enable data encryption at rest through the 'transparent_data_encryption_enabled' field
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "azurerm_mssql_database" "example" {
  name           = "example-db"
  server_id      = azurerm_mssql_server.example.id
  collation      = "SQL_Latin1_General_CP1_CI_AS"
  license_type   = "LicenseIncluded"
  max_size_gb    = 4
  read_scale     = true
  sku_name       = "S0"
  zone_redundant = true
  enclave_type   = "VBS"

  transparent_data_encryption_enabled = false
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "azurerm_mssql_database" "example" {
  name           = "example-db"
  server_id      = azurerm_mssql_server.example.id
  collation      = "SQL_Latin1_General_CP1_CI_AS"
  license_type   = "LicenseIncluded"
  max_size_gb    = 4
  read_scale     = true
  sku_name       = "S0"
  zone_redundant = true
  enclave_type   = "VBS"

  # missing "transparent_data_encryption_enabled" - defaults to true
}

resource "azurerm_mssql_database" "example" {
  name           = "example-db"
  server_id      = azurerm_mssql_server.example.id
  collation      = "SQL_Latin1_General_CP1_CI_AS"
  license_type   = "LicenseIncluded"
  max_size_gb    = 4
  read_scale     = true
  sku_name       = "S0"
  zone_redundant = true
  enclave_type   = "VBS"

  transparent_data_encryption_enabled = true
}