Database resources without infrastructure encryption enabled may expose sensitive data to unauthorized access at the infrastructure level. This security gap falls under CWE-311: Missing Encryption of Sensitive Data.
Infrastructure encryption provides an additional layer of security by encrypting data at the infrastructure level, separate from the database's native encryption capabilities. When infrastructureEncryption is not enabled or is explicitly disabled:
- Data-at-Rest Vulnerability: Data stored on the underlying storage infrastructure may not be adequately protected
- Compliance Gaps: Many regulatory frameworks require multiple layers of encryption for sensitive data
- Defense in Depth: Missing this layer reduces the overall security posture and defense-in-depth strategy
- Service Layer Exposure: Data may be vulnerable if there are security issues at the Azure infrastructure level
This additional encryption layer is particularly important for:
- Healthcare data (HIPAA compliance)
- Financial data (PCI DSS compliance)
- Government and regulated industry data
- Any sensitive personal information
Enable infrastructure encryption by setting the infrastructureEncryption property to "Enabled" in the database resource properties. This provides double encryption:
- Service-Level Encryption: Azure's standard encryption for the database service
- Infrastructure-Level Encryption: Additional encryption at the underlying infrastructure layer
Note that infrastructure encryption may have performance implications and should be tested in non-production environments first.
resource insecurePostgreSQLServer 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
name: 'insecure-postgresql'
location: 'eastus'
properties: {
// infrastructureEncryption property is missing - uses default (disabled)
sslEnforcement: 'Enabled'
minimalTlsVersion: '1.2'
administratorLogin: 'pgadmin'
administratorLoginPassword: password
}
}
resource explicitlyDisabledServer 'Microsoft.DBforMySQL/servers@2017-12-01' = {
name: 'explicitly-disabled-mysql'
location: 'eastus'
properties: {
infrastructureEncryption: 'Disabled' // Vulnerable: Explicitly disabled
sslEnforcement: 'Enabled'
minimalTlsVersion: '1.2'
administratorLogin: 'mysqladmin'
administratorLoginPassword: password
}
}resource securePostgreSQLServer 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
name: 'secure-postgresql'
location: 'eastus'
properties: {
infrastructureEncryption: 'Enabled' // Secure: Double encryption enabled
sslEnforcement: 'Enabled'
minimalTlsVersion: '1.2'
administratorLogin: 'pgadmin'
administratorLoginPassword: password
}
}
resource secureMySQLServer 'Microsoft.DBforMySQL/servers@2017-12-01' = {
name: 'secure-mysql'
location: 'eastus'
properties: {
infrastructureEncryption: 'Enabled' // Secure: Double encryption enabled
sslEnforcement: 'Enabled'
minimalTlsVersion: '1.2'
administratorLogin: 'mysqladmin'
administratorLoginPassword: password
}
}