Ensure data encryption is enabled for Azure Synapse SQL Pool

MEDIUM

Description

Azure Synapse encrypts data at rest by default using Microsoft-managed keys, however it is recommended that another layer of encryption is added. A customer managed key can be used to encrypt content within SQL pools for additional protection. For more information on Azure Synapse encryption, see the Azure documentation.
References:
https://learn.microsoft.com/en-us/azure/synapse-analytics/security/workspaces-encryption

Remediation

In Azure Console -

Open the Azure Portal and go to Dedicated SQL pools.
Select the SQL pool you wish to edit.
Under Settings, select Transparent data encryption.
Set Data encryption to On.

In Terraform -

In the azurerm_synapse_sql_pool resource, set data_encrypted to true.

References:
https://learn.microsoft.com/en-us/azure/synapse-analytics/sql-data-warehouse/sql-data-warehouse-encryption-tde
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/synapse_sql_pool

Policy Details

Rule Reference ID: AC_AZURE_0379

CSP: Azure

Remediation Available: Yes

Domain: Data Protection

Resource: azurerm_synapse_sql_pool

Resource Category: Analytics

Resource Type: Synapse

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0