module/ConfigurationProvider/ControlConfigurations/Services/DBForMySQLFlexibleServer.json
|
{
"FeatureName": "DBForMySqlFlexibleServer", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_DBForMySQLFlexibleServer_DP_Enable_SSL", "Description": "SSL connection must be enabled for Azure Database for MySQL - Flexible Servers", "Id": "DBForMySqlFS100", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMySQLFlexibleServerSecureTransport", "DisplayName": "SSL connection must be enabled for Azure Database for MySQL - Flexible Servers", "Rationale": "Enforcing secure transport between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.", "Recommendation": "To configure secure transport for client communication, Go to Azure Portal --> Azure Database for MySQL flexible server --> Select server --> Settings --> Server parameters --> search 'require_secure_transport' --> set parameter 'require_secure_transport' as 'ON' --> Click 'Save', or Run Command : Update-AzMySqlFlexibleServerConfiguration -Name 'require_secure_transport' -ResourceGroupName <ResourceGroupName> -ServerName <ServerName> -Value 'ON' ", "Tags": [ "Baseline", "DP" ], "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "ControlSettings": { "RequireSecureTransport": "ON" }, "ControlEvaluationDetails": { "RequiredProperties": [ "DBForMySqlFSRequireSecureTransport" ] }, "Enabled": true, "CustomTags": [ "SN:MySQLFLEXIBLESERVERS_SSL", "TBv8", "TenantBaseline", "Preview", "Daily", "MSD", "CAIPreview", "EDPreview", "SMTPreview" ] }, { "ControlID": "Azure_DBForMySQLFlexibleServer_DP_Use_Secure_TLS_Version", "Description": "Use approved version of TLS for Azure Database for MySQL - Flexible Servers", "Id": "DBForMySqlFS110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMySQLFlexibleServerTLSVersion", "DisplayName": "Use approved version of TLS for Azure Database for MySQL - Flexible Servers", "Rationale": "TLS provides privacy and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "To configure 'Minimum TLS Version' setting for 'Azure Database for My SQL' flexible Server, Go to Azure Portal --> Azure Database for MySQL flexible server -->Server parameters --> set parameter 'tls_version' as 'TLSV1.2' and unselect other lower versions like TLSV1.", "Tags": [ "Baseline", "DP" ], "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "ControlSettings": { "MinReqTLSVersion": "1.2", "CurrentTLSversionPatternInAPIResponse": "TLSV" }, "ControlEvaluationDetails": { "RequiredProperties": [ "DBForMySqlFSTLSVersion" ] }, "Enabled": true, "CustomTags": [ "Preview", "Daily", "TenantBaseline", "MSD", "TBv8", "CAIPreview", "EDPreview", "SMTPreview", "SN:MySQLFLEXIBLESERVERS_TLS", "CAIWave1" ] }, { "ControlID": "Azure_DBForMySQLFlexibleServer_NetSec_Dont_Allow_Public_Network_Access", "Description": "Public network access must be disabled for Azure Database for MySQL - Flexible Servers", "Id": "DBForMySqlFS120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicNetworkAccess", "DisplayName": "Public network access must be disabled for Azure Database for MySQL - Flexible Servers", "ControlRequirements": "Restrict network traffic flows", "Category": "Deploy controls to restrict network traffic", "Rationale": "To improve the security of 'Azure Database for MySQL' flexible Server, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks.", "Recommendation": "To remediate, disable public network access on your 'Azure Database for MySQL' flexible Server. Go to Azure Portal --> your Azure Database for MySQL flexible Server --> Settings --> Networking --> Public access --> Deny public network access --> Unselect 'Allow public access to this resource through the internet using a public IP address' --> Save", "Tags": [ "Automated", "NetSec", "Baseline" ], "ControlEvaluationDetails": { "RequiredProperties": [ "PublicNetworkAccess" ] }, "Enabled": true, "CustomTags": [ "Weekly" ] }, { "ControlID": "Azure_DBForMySQLFlexibleServer_Enable_Diagnostic_Settings", "Description": "Diagnostic logs must be enabled for Azure Database for MySQL - Flexible Servers", "Id": "DBForMySqlFS130", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "DisplayName": "Diagnostic logs must be enabled for Azure Database for MySQL - Flexible Servers", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Diagnostic logs must be enabled as they provide details for investigation in case of a security breach for threats.", "Recommendation": "To Configure 'Diagnostic settings' for Azure Database for MySQL - Flexible Servers (refer to https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/create-diagnostic-settings?tabs=portal for more details), go to Azure Portal --> Your Database for MySQL Flexible Server --> Diagnostic settings --> Enable [MySQL Audit Logs] Category with a minimum retention period of 90 days.", "Tags": [ "Automated", "Audit", "Diagnostics", "DBForMySqlFlexibleServer", "Baseline" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DiagnosticSettings" ] }, "Enabled": true, "ControlSettings": { "DiagnosticForeverRetentionValue": "0", "DiagnosticMinRetentionPeriod": "90", "DiagnosticLogs": [ "MySqlAuditLogs" ] }, "CustomTags": [ "Weekly" ] } ] } |