Control: Azure > CIS v2.0 > 04 - Database Services

Primary Policies

The following policies can be used to configure this control:

• 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.01 - Ensure that 'Auditing' is set to 'On'
• 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
• 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
• 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.04 - Ensure that Azure Active Directory Admin is Configured for SQL Servers
• 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database
• 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'
• 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.01 - Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
• 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.02 - Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
• 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.03 - Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server
• 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.04 - Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
• 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.05 - Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
• 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.01 - Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
• 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.02 - Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
• 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.03 - Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
• 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.04 - Ensure Server Parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
• 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.05 - Ensure Server Parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
• 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.06 - Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
• 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.07 - Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
• 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.08 - Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
• 04 - Database Services > 4.04 - MySQL Database > 4.04.01 - Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server
• 04 - Database Services > 4.04 - MySQL Database > 4.04.02 - Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
• 04 - Database Services > 4.04 - MySQL Database > 4.04.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server
• 04 - Database Services > 4.04 - MySQL Database > 4.04.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server
• 04 - Database Services > 4.05 - Cosmos DB > 4.05.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
• 04 - Database Services > 4.05 - Cosmos DB > 4.05.02 - Ensure That Private Endpoints Are Used Where Possible
• 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible
• 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible > Attestation
• 04 - Database Services
• 04 - Database Services > 4.01 SQL Server - Auditing
• 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL
• 04 - Database Services > 4.03 PostgreSQL Database Server
• 04 - Database Services > 4.04 - MySQL Database
• 04 - Database Services > 4.05 - Cosmos DB
• 04 - Database Services > Maximum Attestation Duration

Category

• CIS

In Your Workspace

• Controls by Resource report
• Controls by Control Type report

Developers

Control Type URI

tmod:@turbot/azure-cisv2-0#/control/types/s04

Category URI

tmod:@turbot/cis#/control/categories/cis

GraphQL

query controlType(id: "tmod:@turbot/azure-cisv2-0#/control/types/s04") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/azure-cisv2-0#/control/types/s04'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/azure-cisv2-0#/control/types/s04"