AzTS

1.0.1

module/ConfigurationProvider/ControlConfigurations/Services/SQLManagedInstance.json

                                {

    "FeatureName": "SQLManagedInstance",

    "Reference": "",

    "IsMaintenanceMode": false,

    "Controls": [

        {

            "ControlID": "Azure_SQLManagedInstance_Audit_Enable_Vuln_Assessment",

            "Description": "Enable SQL managed instances vulnerability assessments with email admins option.",

            "Id": "SQLManagedInstance110",

            "ControlSeverity": "Medium",

            "Automated": "Yes",

            "MethodName": "CheckSqlMIVulnerabilityAssessmentSetting",

            "Rationale": "Known database vulnerabilities in a system can be easy targets for attackers. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.",

            "Recommendation": "First run command 'Enable-AzSqlInstanceAdvancedDataSecurity -ResourceGroupName '{ResourceGroupName}' -InstanceName '{InstanceName}''. Then run command 'Update-AzSqlInstanceVulnerabilityAssessmentSetting -ResourceGroupName '{ResourceGroupName}' -InstanceName '{InstanceName}' -StorageAccountName '{StorageAccountName}' -ScanResultsContainerName 'vulnerability-assessment' -RecurringScansInterval Weekly -EmailAdmins $true -NotificationEmail @('mail1@mail.com' , 'mail2@mail.com')'.",

            "Tags": [

                "SDL",

                "TCP",

                "Automated",

                "Audit",

                "Baseline",

                "Weekly"

            ],

            "Enabled": true,

            "ControlEvaluationDetails": {

                "RequiredProperties": [

                    "VulnerabilityAssessmentSetting"

                ]

            },

            "PolicyDefinitionGuid": "1b7aa243-30e4-4c9e-bca8-d0d3022b634a",

            "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a",

            "DisplayName": "Vulnerability assessment must be enabled on your SQL managed instances",

            "Category": "Vulnerability assessments must be enabled on all services",

            "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance",

            "CustomTags": []

        },

        {

            "ControlID": "Azure_SQLManagedInstance_SI_Remediate_Security_Vulnerabilities",

            "Description": "Vulnerabilities on your SQL databases should be remediated.",

            "Id": "SQLManagedInstance120",

            "ControlSeverity": "High",

            "Automated": "Yes",

            "MethodName": "",

            "DisplayName": "Vulnerabilities on your SQL databases should be remediated",

            "Category": "Vulnerabilities must be remediated",

            "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance",

            "AssessmentName": "fe02b3b7-a722-d4d6-6731-6493776203a6",

            "ControlScanSource": "MDC",

            "AssessmentProperties": {

                "AssessmentNames": [

                    "fe02b3b7-a722-d4d6-6731-6493776203a6"

                ],

                "ResourceDetails": {

                    "HasExtendedResourceId": true,

                    "ExtendedIdResourceTypes": [

                        "Microsoft.Sql/managedInstances/databases"

                    ],

                    "ExcludeExtendedIdPatterns": ".*/master$"

                }

            },

            "Rationale": "Known database vulnerabilities in a system can be easy targets for attackers. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.",

            "Recommendation": "Go to security center --> Data & storage --> SQL --> Click on SQL DB Managed instance --> Click on Recommendation in Recommendation List --> Remediate list of vulnerabilities",

            "Tags": [

                "SDL",

                "Automated",

                "Baseline",

                "Weekly"

            ],

            "Enabled": true,

            "CustomTags": []

        },

        {

            "ControlID": "Azure_SQLManagedInstance_DP_Use_Secure_TLS_Version",

            "Description": "Use approved version of TLS for Azure SQL Managed Instance",

            "Id": "SQLManagedInstance130",

            "ControlSeverity": "High",

            "Automated": "Yes",

            "MethodName": "CheckSqlMIMinTLSVersion",

            "DisplayName": "Use approved version of TLS for Azure SQL Managed Instance",

            "Category": "Encrypt data in transit",

            "ControlRequirements": "Data must be encrypted in transit and at rest",

            "Recommendation": "Configure 'Minimal TLS Version' setting for Azure SQL Managed Instance. Refer: https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/minimal-tls-version-configure",

            "Tags": [

                "SDL",

                "TCP",

                "Automated",

                "DP",

                "Baseline",

                "Weekly"

            ],

            "Enabled": true,

            "Rationale": "TLS provides privacy and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.",

            "ControlSettings": {

                "MinReqTLSVersion": "1.2",

                "MinTLSVersionNotSet": "None"

            },

            "CustomTags": []

        }

    ]

}