Azure Synapse Analytics SQL Pool Transparent Data Encryption Not Enabled
ID: azure-synapse-sqlpool-tde-disabled
Severity: high
Author: princechaddha
Tags: cloud,devops,azure,microsoft,synapse,azure-cloud-config
Description
Section titled “Description”Ensure that Transparent Data Encryption (TDE) is enabled for all dedicated SQL pools within Microsoft Azure Synapse Analytics workspaces in order to protect your data at rest and help meet compliance requirements.
YAML Source
Section titled “YAML Source”id: azure-synapse-sqlpool-tde-disabledinfo: name: Azure Synapse Analytics SQL Pool Transparent Data Encryption Not Enabled author: princechaddha severity: high description: | Ensure that Transparent Data Encryption (TDE) is enabled for all dedicated SQL pools within Microsoft Azure Synapse Analytics workspaces in order to protect your data at rest and help meet compliance requirements. impact: | Failing to enable Transparent Data Encryption (TDE) can result in non-compliance with regulatory requirements and increased risk of unauthorized access to sensitive data at rest. remediation: | Enable Transparent Data Encryption (TDE) for all Azure Synapse Analytics dedicated SQL pools to ensure your data at rest is encrypted and secure. reference: - https://docs.microsoft.com/en-us/azure/synapse-analytics/sql-data-warehouse/sql-data-warehouse-overview-what-is tags: cloud,devops,azure,microsoft,synapse,azure-cloud-config
flow: | code(1); for (let workspaceId of iterate(template.workspaceIds)) { set("workspaceId", workspaceId); code(2); for (let sqlPoolId of iterate(template.sqlPoolIds)) { set("sqlPoolId", sqlPoolId); code(3); } }
self-contained: truecode: - engine: - sh - bash source: | az synapse workspace list --query '[*].id'
extractors: - type: json name: workspaceIds internal: true json: - '.[]'
- engine: - sh - bash source: | az synapse sql pool list --workspace-name "$workspaceId" --resource-group "$resourceGroup" --query '[*].id'
extractors: - type: json name: sqlPoolIds internal: true json: - '.[]'
- engine: - sh - bash source: | az synapse sql pool tde show --ids "$sqlPoolId" --transparent-data-encryption-name current --query 'status'
matchers: - type: word words: - '"Disabled"'
extractors: - type: dsl dsl: - 'workspaceId + " " + sqlPoolId + " does not have TDE enabled"'# digest: 4b0a00483046022100d1bf8c0b94ccc83007bdf0bc346ec0c2b78e34e7ab1246ee4a1b3545faba924d022100a86dc75b0764b050974230a9391e772463a3c0ae6767d3a6e45f6bb66ae90b3b:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/azure/synapse/azure-synapse-sqlpool-tde-disabled.yaml"