Resource Type: Azure > SQL > Server

Resource Context

Server is a part of the SQL service.

Each Server lives under a Resource Group.

Controls

The primary controls for Azure > SQL > Server are:

• Active
• Active Directory Administrator
• Advanced Data Security
• Allowed
• Approved
• Auditing
• CMDB
• Discovery
• Firewall
• Intelligent Assessment
• ServiceNow
• Tags

It is also targeted by these controls:

• Azure > CIS v1 > 4 Database Services > 4.01 Ensure that 'Auditing' is set to 'On' (Scored)
• Azure > CIS v1 > 4 Database Services > 4.02 Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly (Scored)
• Azure > CIS v1 > 4 Database Services > 4.03 Ensure that 'Auditing' Retention is 'greater than 90 days' (Scored)
• Azure > CIS v1 > 4 Database Services > 4.04 Ensure that 'Advanced Data Security' on a SQL server is set to 'On' (Scored)
• Azure > CIS v1 > 4 Database Services > 4.05 Ensure that 'Threat Detection types' is set to 'All' (Scored)
• Azure > CIS v1 > 4 Database Services > 4.06 Ensure that 'Send alerts to' is set (Scored)
• Azure > CIS v1 > 4 Database Services > 4.07 Ensure that 'Email service and co-administrators' is 'Enabled' (Scored)
• Azure > CIS v1 > 4 Database Services > 4.08 Ensure that Azure Active Directory Admin is configured (Scored)
• Azure > CIS v1 > 4 Database Services > 4.10 Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) (Scored)
• Azure > CIS v1 > 6 Networking > 6.03 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) (Scored)
• Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.01 - Ensure that 'Auditing' is set to 'On'
• Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
• Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
• Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.04 - Ensure that Azure Active Directory Admin is Configured for SQL Servers
• Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'
• Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.01 - Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
• Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.02 - Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
• Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.03 - Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server
• Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.04 - Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
• Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.05 - Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
• Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.01 - Ensure that 'Auditing' is set to 'On'
• Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
• Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.03 - Ensure SQL Server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
• Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.04 - Ensure that Microsoft Entra authentication is Configured for SQL Servers
• Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'
• Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.07 - Ensure Public Network Access is Disabled
• Azure > SQL > Database > Discovery
• Azure > SQL > Elastic Pool > Discovery

Quick Actions

• Delete
• Router
• Set Tags
• Update Active Directory Administrator
• Update Advanced Data Security
• Update Auditing
• Update Firewall IP Ranges

Category

• Database

In Your Workspace

• Controls by Resource Type report
• Policy Settings by Resource Type report
• Resources by Resource Type report

Developers

Resource Type URI

tmod:@turbot/azure-sql#/resource/types/server

Category URI

tmod:@turbot/turbot#/resource/categories/database

GraphQL

query resource(id: "tmod:@turbot/azure-sql#/resource/types/server") { … }

query resourceActivities(filter: "resourceId:'tmod:@turbot/azure-sql#/resource/types/server'") { … }

mutation createResource(input: { … })

mutation updateResource(input: { … })

CLI

Get Resource

turbot graphql resource --id "tmod:@turbot/azure-sql#/resource/types/server"

Steampipe Query

Get Resource

select * from guardrails_resource where resource_type_uri = 'tmod:@turbot/azure-sql#/resource/types/server';

Get Policy Settings (By Resource ID)

select * from guardrails_policy_setting where filter = 'resourceTypeId:"tmod:@turbot/azure-sql#/resource/types/server"';

Get Resource Notification

select * from guardrails_notification where resource_type_uri = 'tmod:@turbot/azure-sql#/resource/types/server' and notification_type in ('resource_updated', 'resource_created');