Policy : deny-sql-db-tde-disabled just not working for me

[clercmedia]

Hello guy's ! I am trying to avoid anybody from turning of the TDE on a production database. I have tried the policy deny-sql-db-tde-disabled :

{ "if": { "allOf": [ { "field": "type", "equals": "Microsoft.SQL/servers/databases/transparentDataEncryption" }, { "field": "Microsoft.Sql/transparentDataEncryption.status", "notEquals": "enabled" } ] }, "then": { "effect": "deny" } } I have an integration test that create a SQL Server, create a DB. The test is turning off the TDE on the database. It should failed by policy but it is not failing. Try a lot of things changing the alias and unfortunately Iv'e got no luck.

try { New-AzSqlDatabase -ServerName $sql_server_name -DatabaseName $db_name -ResourceGroupName $rg_name -RequestedServiceObjectiveName "Basic" -ErrorAction Stop | Out-Null Start-Sleep -s 10 Set-AzSqlDatabaseTransparentDataEncryption -ServerName $sql_server_name -ResourceGroupName $rg_name -DatabaseName $db_name -State "disabled" -ErrorAction Stop | Out-Null Create-Console-Test-Log "FAILED" "[Security] - Deny SQL DB with tde disabled should prevent the removal of the TDE on DB" } catch { Create-Console-Test-Log "PASS" "[Security] - Deny SQL DB with tde disabled should prevent the removal of the TDE on DB" }

The policy is creating fine , however, it is not blocking anything :( ! Am I the only one with this behaviors ? Did I miss something ? Cheers,

[kenieva]

Hi @clercmedia, are you still having this issue?

[kenieva]

We haven't gotten a response so I will close this issue. Please re-open issue when needed information is gathered.

[aquibchiniwala]

@clercmedia I am facing the same issue. can you tell me if is it resolved or not? If yes please provide some resolution. Thank You

[clercmedia]

Can't say, I am not on the project anymore. It wasn't fixed at the time though !

Christian Leclerc, OSCP, CISSP, CCSP, CSSLP, CEH, OCMJEA @.*** Sphere 3 Solutions inc.

CONFIDENTIALITÉ L'information apparaissant dans ce message électronique est de nature légalement privilégiée et confidentielle. Si ce message vous est parvenu par erreur et que vous n'êtes pas le destinataire visé, vous êtes par les présentes avisé que tout usage, copie ou distribution de ce message est strictement interdit. Vous êtes donc prié de nous informer immédiatement de cette erreur et de détruire ce message.

CONFIDENTIALITY The information in this message is legally privileged and confidential. In the event of a transmission error and if you are not the individual or entity mentioned above, you are hereby advised that any use, copying or reproduction of this document is strictly forbidden. Please advise us of this error and destroy this message.

On Tue, Jan 24, 2023 at 3:45 AM aquibchiniwala @.***> wrote:

@clercmedia https://github.com/clercmedia I am facing the same issue. can you tell me if is it resolved or not? If yes please provide some resolution. Thank You

— Reply to this email directly, view it on GitHub https://github.com/Azure/azure-policy/issues/529#issuecomment-1401561551, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGRKE3EE2S4MHYXTTKXG5O3WT6JBFANCNFSM4LAOM36A . You are receiving this because you were mentioned.Message ID: @.***>