What is CIS Azure 4.2?

CIS Azure 4.2 (Ensure Azure SQL Transparent Data Encryption is enabled) requires: Transparent Data Encryption (TDE) must be enabled for all Azure SQL databases. This is a high-severity control.

How does EchelonGraph detect CIS Azure 4.2 violations?

EchelonGraph automatically detects CIS Azure 4.2 violations using scanner rule AZ-SQL-002. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS Azure 4.2?

Are all Azure SQL databases using TDE? Is TDE using service-managed or customer-managed keys? Are database backups also encrypted?

🔵CIS Azure 4.2Rule: AZ-SQL-002high

Ensure Azure SQL Transparent Data Encryption is enabled

Description

Transparent Data Encryption (TDE) must be enabled for all Azure SQL databases.

⚠️ Risk Impact

Without TDE, database backups and files stored on disk are readable without authentication.

🔍 How EchelonGraph Detects This

AZ-SQL-002Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected Azure accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

Enable TDE: az sql db tde set --database DB --server SERVER --status Enabled

💀 Real-World Attack Scenario

A backup of an Azure SQL database without TDE was stored in a Blob container. When the container's SAS token was accidentally shared publicly, the backup file was downloaded and the database was restored on a local SQL Server — giving full access to all data without any authentication.

💰 Cost of Non-Compliance

Unencrypted database backups have 100% data exposure rate when accessed. PCI DSS Req 3.4 mandates cardholder data encryption at rest. Non-compliance: $5K-$100K/month.

📋 Audit Questions

1.Are all Azure SQL databases using TDE?
2.Is TDE using service-managed or customer-managed keys?
3.Are database backups also encrypted?

🎯 MITRE ATT&CK Mapping

T1530 — Data from Cloud StorageT1005 — Data from Local System

⚡ Common Pitfalls

⛔TDE is enabled by default on new databases but may be disabled on migrated databases
⛔Using service-managed keys when compliance requires customer-managed encryption
⛔Not verifying that TDE is active on restored databases

📈 Business Value

TDE provides transparent, zero-downtime encryption for all database files and backups. It's enabled by default but must be verified, especially for migrated databases.

⏱️ Effort Estimate

Manual

15 minutes per database to verify and enable

With EchelonGraph

EchelonGraph monitors TDE status across all Azure SQL databases

🔗 Cross-Framework References

SOC2-CC6.1ISO27001-A.10.1.1PCI-3.4

Automate CIS Azure 4.2 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →