module/ConfigurationProvider/ControlConfigurations/Services/SQLManagedInstance.json
|
{
"FeatureName": "SQLManagedInstance", "Reference": "", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_SQLManagedInstance_Audit_Enable_Vuln_Assessment", "Description": "Enable SQL managed instances vulnerability assessments with email admins option.", "Id": "SQLManagedInstance110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSqlMIVulnerabilityAssessmentSetting", "Rationale": "Known database vulnerabilities in a system can be easy targets for attackers. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.", "Recommendation": "First run command 'Enable-AzSqlInstanceAdvancedDataSecurity -ResourceGroupName '{ResourceGroupName}' -InstanceName '{InstanceName}''. Then run command 'Update-AzSqlInstanceVulnerabilityAssessmentSetting -ResourceGroupName '{ResourceGroupName}' -InstanceName '{InstanceName}' -StorageAccountName '{StorageAccountName}' -ScanResultsContainerName 'vulnerability-assessment' -RecurringScansInterval Weekly -EmailAdmins $true -NotificationEmail @('mail1@mail.com' , 'mail2@mail.com')'.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Baseline", "Weekly" ], "Enabled": true, "ControlEvaluationDetails": { "RequiredProperties": [ "VulnerabilityAssessmentSetting" ] }, "PolicyDefinitionGuid": "1b7aa243-30e4-4c9e-bca8-d0d3022b634a", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a", "DisplayName": "Vulnerability assessment must be enabled on your SQL managed instances", "Category": "Vulnerability assessments must be enabled on all services", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "CustomTags": [] }, { "ControlID": "Azure_SQLManagedInstance_SI_Remediate_Security_Vulnerabilities", "Description": "Vulnerabilities on your SQL databases should be remediated.", "Id": "SQLManagedInstance120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "", "DisplayName": "Vulnerabilities on your SQL databases should be remediated", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "AssessmentName": "fe02b3b7-a722-d4d6-6731-6493776203a6", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "fe02b3b7-a722-d4d6-6731-6493776203a6" ], "ResourceDetails": { "HasExtendedResourceId": true, "ExtendedIdResourceTypes": [ "Microsoft.Sql/managedInstances/databases" ], "ExcludeExtendedIdPatterns": ".*/master$" } }, "Rationale": "Known database vulnerabilities in a system can be easy targets for attackers. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.", "Recommendation": "Go to security center --> Data & storage --> SQL --> Click on SQL DB Managed instance --> Click on Recommendation in Recommendation List --> Remediate list of vulnerabilities", "Tags": [ "SDL", "Automated", "Baseline", "Weekly" ], "Enabled": true, "CustomTags": [] }, { "ControlID": "Azure_SQLManagedInstance_DP_Use_Secure_TLS_Version", "Description": "Use approved version of TLS for Azure SQL Managed Instance", "Id": "SQLManagedInstance130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSqlMIMinTLSVersion", "DisplayName": "Use approved version of TLS for Azure SQL Managed Instance", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "TLS provides confidentiality and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "To Configure 'Minimum TLS Version' setting for SQL Managed Instance, go to Azure Portal --> Your SQL Managed Instance --> Networking --> Set the Minimum TLS Version to latest version or refer: https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/minimal-tls-version-configure", "Tags": [ "SDL", "TCP", "Automated", "DP", "Baseline" ], "Enabled": true, "ControlSettings": { "MinReqTLSVersion": "1.2", "MinTLSVersionNotSet": "None" }, "CustomTags": [ "Daily", "SN:SQLMANGINS_TLS", "Preview", "TenantBaseline", "MSD", "TBv8", "TRWave4", "TRPreview", "TRBaseline", "EDPreview", "SMTPreview", "CAIPreview", "CAIWave1" ] }, { "ControlID": "Azure_SQLManagedInstance_Config_Enable_MicrosoftDefender_MCSB", "Description": "[MCSB] Microsoft Defender for SQL should be enabled for unprotected SQL Managed Instances", "Id": "SQLManagedInstance140", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Microsoft Defender for SQL should be enabled for unprotected SQL Managed Instances", "Category": "Monitoring must be correctly configured", "ControlRequirements": "To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies", "Rationale": "Microsoft Defender for SQL is a unified package that provides advanced SQL security capabilities. It surfaces and mitigates potential database vulnerabilities, and detects anomalous activities that could indicate a threat to your database.", "Recommendation": "To enable Microsoft Defender for SQL on managed SQL servers: 1. From Defender for Cloud's 'Environment settings' page, select the relevant subscription. 2. In the 'Defender plans' page, set 'Microsoft Defender for SQL' to 'On'. 3. Under 'Vulnerability Assessment Settings', configure a storage account for storing vulnerability assessment scan results and set 'Periodic recurring scans' to 'On'. 4. Select 'Save'.", "Tags": [ "SDL", "Automated", "Baseline", "Config" ], "AssessmentProperties": { "AssessmentNames": [ "ff6dbca8-d93c-49fc-92af-dc25da7faccd" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_SQLManagedInstance_Audit_Enable_Vulnerability_Assessment_MCSB", "Description": "[MCSB] SQL managed instances should have vulnerability assessment configured", "Id": "SQLManagedInstance150", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] SQL managed instances should have vulnerability assessment configured", "Category": "Vulnerability assessments must be enabled on all services", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.", "Recommendation": "To enable vulnerability assessment on a managed instance: 1. Select the SQL managed instance. 2. Make sure that 'Advanced data security' is set to 'On'. 3. Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results. 4. Select 'Save'.", "Tags": [ "SDL", "Automated", "Baseline", "Audit" ], "AssessmentProperties": { "AssessmentNames": [ "c42fc28d-1703-45fc-aaa5-39797f570513" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_SQLManagedInstance_DP_Use_Managed_Keys_MCSB", "Description": "[MCSB] SQL managed instances should use customer-managed keys to encrypt data at rest", "Id": "SQLManagedInstance160", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] SQL managed instances should use customer-managed keys to encrypt data at rest", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "TDE (Transparent Data Encryption) ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements. And by using a customer-managed key, you can supplement default encryption with an additional encryption layer.", "Recommendation": "To use customer managed keys to encrypt data in Azure SQL Managed Instance, please refer: https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql#recommendations-when-configuring-akv", "Tags": [ "SQLManagedInstance", "Baseline", "DP" ], "AssessmentProperties": { "AssessmentNames": [ "9623b858-1d4e-4748-180f-3d0d671df078" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_SQLManagedInstance_AuthZ_Use_AAD_Only_MCSB", "Description": "[MCSB] Azure SQL Managed Instance should only have AAD based Authentication enabled", "Id": "SQLManagedInstance170", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Azure SQL Managed Instance should only have AAD based Authentication enabled", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Disabling local authentication methods and allowing only Azure Active Directory Authentication improves security by ensuring that Azure SQL Managed Instances can exclusively be accessed by Azure Active Directory identities. Learn more at: aka.ms/adonlycreate.", "Recommendation": "To enable Azure Active Directory Only Authentication for Azure SQL Managed Instance: 1. Use the following CLI commands: 'az sql mi ad-only-auth enable --resource-group myresource --name myserver' 2. Use the following Powershell commands 'Enable-AzSqlInstanceActiveDirectoryOnlyAuthentication -InstanceName myinstance -ResourceGroupName myresource' 3. More details on https://aka.ms/adonlymanage.", "Tags": [ "Automated", "AuthZ", "Baseline", "SQLManagedInstance" ], "AssessmentProperties": { "AssessmentNames": [ "e2750e59-9a37-4ad5-b584-013932d9682d" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_SQLManagedInstance_SI_Resolve_Vulnerability_Findings_MCSB", "Description": "[MCSB] SQL ManagedInstance must have vulnerability findings resolved", "Id": "SQLManagedInstance180", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] SQL ManagedInstance must have vulnerability findings resolved", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.", "Recommendation": "Please refer:https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-manage?tabs=express", "Tags": [ "Automated", "SI", "Baseline", "SQLManagedInstance" ], "AssessmentProperties": { "AssessmentNames": [ "82e20e14-edc5-4373-bfc4-f13121257c37" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] } }, { "ControlID": "Azure_SQLManagedInstance_AuthN_Use_AAD_Only_KR51", "Description": "[KR51] Azure SQL Managed Instance must only have AAD based Authentication enabled.", "Id": "SQLManagedInstance190", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Policy", "DisplayName": "[KR51] Azure SQL Managed Instance must only have AAD based Authentication enabled.", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Disabling local authentication methods and allowing only Azure Active Directory Authentication improves security by ensuring that Azure SQL Managed Instances can exclusively be accessed by Azure Active Directory identities. Learn more at: aka.ms/adonlycreate.", "Recommendation": "To enable Azure Active Directory Only Authentication for Azure SQL Managed Instance: 1. Use the following CLI commands: 'az sql mi ad-only-auth enable --resource-group myresource --name myserver' 2. Use the following Powershell commands 'Enable-AzSqlInstanceActiveDirectoryOnlyAuthentication -InstanceName myinstance -ResourceGroupName myresource' 3. More details on https://aka.ms/adonlymanage.", "Tags": [ "Baseline", "Automated", "AuthN", "SQLManagedInstance" ], "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f", "AssignmentId": "" } ] }, "CustomDeploymentPolicyProperties": { "PolicyDefinitonMappings": [ { "EffectType": "Deny", "DefinitionType": "Definition", "DisplayName": "Azure SQL Managed Instance authentication mode should be Azure Active Directory Only", "Description": "Disabling local authentication methods and allowing only Azure Active Directory Authentication improves security by ensuring that Azure SQL Managed Instances can exclusively be accessed by Azure Active Directory identities. Learn more at: aka.ms/adonlycreate.", "Id": "/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f" } ] }, "Enabled": false, "CustomTags": [ "KR51", "Daily" ] }, { "ControlID": "Azure_SQLManagedInstance_Enable_Audit_Logs", "Description": "Audit logs must be enabled for SQL Managed Instance", "Id": "SQLManagedInstance200", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "DisplayName": "Audit logs must be enabled for SQL Managed Instance", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Auditing logs must be enabled as they provide details for investigation in case of a security breach for threats (e.g., SQL injection).", "Recommendation": "To Configure 'Diagnostic settings' for SQL Managed Instance, go to Azure Portal --> Your SQL Managed Instance --> Diagnostic settings --> Enable both Devops operations Audit logs and SQL Security Audit Event", "Tags": [ "Automated", "Audit", "Diagnostics", "SQLManagedInstance", "Baseline" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DiagnosticSettings" ] }, "Enabled": true, "ControlSettings": { "DiagnosticForeverRetentionValue": "0", "DiagnosticMinRetentionPeriod": "90", "DiagnosticLogs": [ "DevOpsOperationsAudit", "SQLSecurityAuditEvents" ] }, "CustomTags": [ "Weekly" ] } ] } |