Azure- Cloud Custodian Policies for Azure SQL Database and SQL Server

Covering various scenarios using open source cloud custodian tool

Azure SQL is a fully managed database (PaaS) that eliminates the complexity of configuring and managing the relational database. It is very important to make sure adequate security controls are implemented. In this article, we have used the open-source tool called Cloud Custodian to write YAML policies to perform different misconfiguration and other security checks.

Example#1: Find all SQL Databases where Transparent Data Encryption (also known as encryption at rest) is not enabled.

policies:
- name: sqldatabase-encryption-at-rest-not-enabled
  resource: azure.sql-database
  comment: |
    Find all SQL Databases where Transparent Data Encryption (also 
    known as encryption at rest) is not enabled. Transparent data    
    encryption (TDE) helps protect Azure SQL databases against the 
    threat of malicious activity by encrypting data at rest. It 
    performs real-time encryption and decryption of the database, 
    its associated backups and transaction log files stored at rest, 
    without requiring changes to your database application. The 
    feature encrypts the storage of an entire SQL database by using 
    a symmetric key named the database encryption key. This database 
    encryption key is…