module/ConfigurationProvider/ControlConfigurations/Services/DBForMySql.json
|
{
"FeatureName": "DBForMySql", "Reference": "aka.ms/azsktcp/DBForMySql", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_DBforMySQL_AuthZ_Firewall_Deny_AzureServices_Access", "DisplayName": "Use the 'Allow access to Azure services' flag for DBForMySQL only if required", "Description": "Use the 'Allow access to Azure services' flag for DBForMySQL only if required", "Id": "DBforMySql100", "ControlSeverity": "Medium", "Category": "Management interfaces and ports must not be open", "ControlRequirements": "Restrict network traffic flows", "Automated": "Yes", "MethodName": "CheckMySQLFirewallAccessAzureService", "Rationale": "The 'Allow access to Azure services' setting configures a very broad range of IP addresses from Azure as permitted to access the MySQL Server. Please make sure your scenario really requires this setting before enabling it. Turning it ON exposes your MySQL Server to risk of attacks from resources (IPs) owned by others in the Azure region.", "Recommendation": "1. Turn 'OFF' the 'Allow access to Azure services' setting. 2. Remove IP range from firewall rules. Refer: https://docs.microsoft.com/en-us/azure/mysql/concepts-firewall-rules#connecting-from-azure", "Tags": [ "SDL", "TCP", "AuthZ", "Automated", "Weekly", "Baseline" ], "Enabled": true, "CustomTags": [], "ControlSettings": { "FirewallRuleName_AllowAzureIps": "AllowAllWindowsAzureIps" }, "ControlEvaluationDetails": { "RequiredProperties": [ "FirewallRules" ] } }, { "ControlID": "Azure_DBforMySQL_NetSec_Dont_Allow_Universal_IP_Range", "Description": "Do not use Any-to-Any IP range for Azure Database for MySQL.", "Id": "DBforMySql110", "ControlSeverity": "High", "DisplayName": "Do not use Any-to-Any IP range for Azure Database for MySQL", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlEvaluationDetails": { "RequiredProperties": [ "FirewallRules" ] }, "Automated": "Yes", "MethodName": "CheckMySQLFirewallIpRange", "Rationale": "Using the firewall feature ensures that access to the data or the service is restricted to a specific set/group of clients. NOTE: While this control does provide an extra layer of access control protection, it may not always be feasible to implement in all scenarios.", "Recommendation": "Do not configure 'Any to Any' firewall IP address. Refer: https://docs.microsoft.com/en-us/azure/mysql/concepts-firewall-rules.", "Tags": [ "SDL", "TCP", "NetSec", "Automated", "Baseline", "Weekly" ], "ControlSettings": { "IPRangeStartIP": "0.0.0.0", "IPRangeEndIP": "255.255.255.255", "FirewallRuleName_AllowAzureIps": "AllowAllWindowsAzureIps" }, "Enabled": true, "CustomTags": [] }, { "ControlID": "Azure_DBforMySQL_Authz_Enable_SSL_Connection", "Description": "SSL connection must be enabled for Azure Database for MySQL", "Id": "DBforMySQL120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMySQLSSLConnection", "DisplayName": "SSL connection must be enabled for Azure Database for MySQL", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.", "Recommendation": "To enable SSL connection for Azure Database for MySQL server, refer https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security.", "Tags": [ "SDL", "TCP", "Authz", "Automated", "Baseline", "Weekly" ], "Enabled": true, "CustomTags": [], "ControlEvaluationDetails": { "RequiredProperties": [ "SSLState" ] } }, { "ControlID": "Azure_DBforMySQL_Audit_Enable_ATP", "Description": "Advanced Threat Protection must be enabled for Azure Database for MySQL", "Id": "DBforMySQL150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMySQLATPSetting", "DisplayName": "Enable Threat detection for MySQL database", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Advanced Threat Protection for Azure Database for MySQL provides a layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/mysql/concepts-data-access-and-security-threat-protection", "Tags": [ "SDL", "TCP", "Audit", "Automated", "Baseline", "Weekly" ], "Enabled": true, "ControlSettings": { "UnsupportedTier": [ "Basic" ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "ATPStatus", "Tier", "SecurityAlertPolicy" ] }, "CustomTags": [ "P2", "Wave99", "SN:mySQL_TDE" ] }, { "ControlID": "Azure_DBforMySQL_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled for Azure Database for MySQL", "Id": "DBforMySQL160", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "DisplayName": "Diagnostics logs must be enabled for Azure Database for MySQL", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.", "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings.", "Tags": [ "SDL", "TCP", "Audit", "Diagnostics", "DBforMySQL", "Automated", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DiagnosticSettings" ] }, "Enabled": true, "ControlSettings": { "DiagnosticForeverRetentionValue": "0", "DiagnosticMinRetentionPeriod": "365", "DiagnosticLogs": [ "MySqlAuditLogs" ] }, "CustomTags": [] }, { "ControlID": "Azure_DBforMySQL_DP_Use_Secure_TLS_Version", "Description": "Use approved version of TLS for Azure Database for MySQL", "Id": "DBforMySQL190", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMySQLTLSVersion", "DisplayName": "Use approved version of TLS for Azure Database for MySQL", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "TLS provides confidentiality and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "To Configure 'Minimum TLS Version' setting for 'Azure Database for MySQL' single server, go to Azure Portal --> Your Resource --> Connection Security --> Enable SSL, if Disabled --> Set the Minimum TLS Version to latest version. Refer: https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security#tls-enforcement-in-azure-database-for-mysql", "Tags": [ "DP", "Automated", "Baseline", "Weekly" ], "Enabled": true, "CustomTags": [], "ControlSettings": { "MinReqTLSVersion": "1.2" } }, { "ControlID": "Azure_DBForMySQL_NetSec_Dont_Allow_Public_Network_Access_MCSB", "Description": "[MCSB] Public network access should be disabled for MySQL servers", "Id": "DBforMySQL210", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Public network access should be disabled for MySQL servers", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Disabling the public network access property improves security by ensuring your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules.", "Recommendation": "To restrict public network access, please refer: https://learn.microsoft.com/en-us/azure/mysql/single-server/how-to-deny-public-network-access#set-deny-public-network-access", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "d5d090f1-7d5c-9b38-7344-0ede8343276d" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Tags": [ "Automated", "Baseline", "NetSec", "DBForMySQL" ], "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_DBforMySQL_AuthZ_Enable_SSL_Connection_MCSB", "Description": "[MCSB] Enforce SSL connection should be enabled for MySQL database servers", "Id": "DBforMySQL220", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Enforce SSL connection should be enabled for MySQL database servers", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application", "Recommendation": "To enable SSL connection for Azure Database for MySQL server, refer https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security.", "Tags": [ "DBforMySQL", "Baseline", "AuthZ" ], "AssessmentProperties": { "AssessmentNames": [ "1f6d29f6-4edb-ea39-042b-de8f123ddd39" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_DBForMySQL_BCDR_Enable_Geo_Redundant_Backup_MCSB", "Description": "[MCSB] Geo-redundant backup should be enabled for Azure Database for MySQL", "Id": "DBForMySQL230", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Geo-redundant backup should be enabled for Azure Database for MySQL", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure.", "Recommendation": "After a server is created, the kind of redundancy it has, geographically redundant vs locally redundant, can't be switched, please create a new one with geo-redundant backup enabled. Refer: https://learn.microsoft.com/en-us/azure/mysql/single-server/how-to-restore-server-portal#set-backup-configuration", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "8ad68a2f-c6b1-97b5-41b5-174359a33688" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Tags": [ "Automated", "Baseline", "BCDR", "DBForMySQL" ], "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_DBforMySQL_DP_Enable_Encryption_With_Customer_Managed_Keys_MCSB", "Description": "[MCSB] MySQL servers should use customer-managed keys to encrypt data at rest", "Id": "DBforMySQL240", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] MySQL servers should use customer-managed keys to encrypt data at rest", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Data Encryption ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements. And by using a customer-managed key, you can supplement default encryption with an additional encryption layer.", "Recommendation": "To use customer managed keys in Azure DB for MySQL, please refer: https://learn.microsoft.com/en-us/azure/mysql/single-server/how-to-data-encryption-portal", "Tags": [ "DBforMySQL", "Automated", "Baseline", "DP" ], "AssessmentProperties": { "AssessmentNames": [ "6b51b7f7-cbed-75bf-8a02-43384bf47562" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_DBforMySQL_NetSec_Enable_Private_Endpoint_Connections_MCSB", "Description": "[MCSB] Private endpoint should be enabled for MySQL servers", "Id": "DBforMySQL200", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Private endpoint should be enabled for MySQL servers", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.", "Recommendation": "To configure Private endpoint for 'Azure Database for MySQL', refer : https://learn.microsoft.com/en-us/azure/mysql/single-server/concepts-data-access-security-private-link#configure-private-link-for-azure-database-for-mysql", "Tags": [ "NetSec", "Automated", "Baseline", "DBForMySQL" ], "AssessmentProperties": { "AssessmentNames": [ "cec4922b-1eb3-cb74-660b-ffad9b9ac642" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_DBforMySQL_NetSec_Dont_Allow_Public_Network_Access", "Description": "Public network access must be disabled for MySQL servers", "Id": "DBforMySQL250", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicNetworkAccess", "DisplayName": "Public network access must be disabled for MySQL servers", "ControlRequirements": "Restrict network traffic flows", "Category": "Deploy controls to restrict network traffic", "ControlScanSource": "MDCorReader", "Rationale": "To improve the security of Azure Database for MySQL, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks.", "Recommendation": "To remediate, disable public network access on your 'Azure Database for MySQL'. Go to Azure Portal --> your Azure Database for MySQL --> Settings --> Connection security --> Deny public network access --> Select 'Yes' --> Save", "Tags": [ "Automated", "NetSec", "DBForMySQL", "Baseline" ], "ControlEvaluationDetails": { "RequiredProperties": [ "PublicNetworkAccess" ] }, "AssessmentProperties": { "AssessmentNames": [ "d5d090f1-7d5c-9b38-7344-0ede8343276d" ] }, "Enabled": true, "CustomTags": [ "Weekly" ] } ] } |