Azure SQL Managed Instance must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-276238 | MSQL-00-003400 | SV-276238r1150056_rule | CCI-002476 | medium |
| Description | ||||
| Azure SQL Managed Instance handling data requiring data-at-rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. | ||||
| STIG | Date | |||
| Microsoft Azure SQL Managed Instance Security Technical Implementation Guide | 2025-10-07 | |||
Details
Check Text (C-276238r1150056_chk)
Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information.
If no information is identified as requiring such protection, this is not a finding.
Review the configuration of the Azure SQL Managed Instance to ensure data-at-rest protections are implemented.
If any of the information defined as requiring cryptographic protection from modification is not encrypted in a manner that provides the required level of protection, this is a finding.
Use the query below to check the encryption status for each database. If any databases have an is_encrypted status of "0", this is a finding.
SELECT [name] AS DatabaseName,is_encrypted FROM master.sys.databases WHERE database_id > 4;
Fix Text (F-80298r1149622_fix)
For any database with an is_encrypted status of "0", use the query below to enable transparent data encryption:
ALTER DATABASE [Database Name Here] SET ENCRYPTION ON;