Policy: Azure > CIS v3.0 > 05 - Database Services
Covers security recommendations to follow to set general database services policies on an Azure Subscription. Subsections will address specific database types.
Targets
This policy targets the following resource types:
Primary Policy
This policy is used with the following primary policy:
Related Policies
- 05.01 - Azure SQL Database
- 05.02 - Azure Database for PostgreSQL
- 05.03 - Azure Database for MySQL
- 05.04 - Azure Cosmos DB
- Maximum Attestation Duration
Controls
Setting this policy configures these controls:
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.01 - Ensure that 'Auditing' is set to 'On'
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.03 - Ensure SQL Server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.04 - Ensure that Microsoft Entra authentication is Configured for SQL Servers
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.07 - Ensure Public Network Access is Disabled
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.02 - Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.03 - Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.04 - Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.05 - Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.06 - [LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.07 - [LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.08 - [LEGACY] Ensure 'Infrastructure double encryption' for PostgreSQL single server is 'Enabled'
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for MySQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.02 - Ensure server parameter 'tls_version' is set to 'TLSv1.2' (or higher) for MySQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
- Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.02 - Ensure That Private Endpoints Are Used Where Possible
- Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.03 - Use Entra ID Client Authentication and Azure RBAC where possible
Policy Specification
Schema Type | |
|---|---|
Default | |
Valid Values [YAML] |
|
Examples [YAML] |
|
Category
In Your Workspace
Developers
- tmod:@turbot/cis#/control/categories/cis
- tmod:@turbot/azure-cisv3-0#/policy/types/s05
- turbot graphql policy-type --id "tmod:@turbot/azure-cisv3-0#/policy/types/s05"
- turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv3-0#/policy/types/s05"
Get Policy TypeGet Policy Settings
Category URI
Policy Type URI
GraphQL
CLI