Turbot Guardrails Hub 
Hub
Policy Packs
Azure CIS v2.0.0 - Section 4 - Database Services
Overview
36
Policy Settings
0
Variables
DevelopersGithub

Policy Settings

The Azure CIS v2.0.0 - Section 4 - Database Services policy pack has 36 policy settings:

PolicySettingNote
Azure > Cosmos DB > Database Account > FirewallCheck: Allow only approved virtual networks and IP rangesAzure CIS v2.0.0 - Control: 4.5.1
Azure > Cosmos DB > Database Account > Firewall > IP Ranges > RequiredCheck: Required > ItemsAzure CIS v2.0.0 - Control: 4.5.1
Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required > Items- "45.127.45.223" - "45.127.45.221" Azure CIS v2.0.0 - Control: 4.5.1
Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > RequiredCheck: Required > ItemsAzure CIS v2.0.0 - Control: 4.5.1
Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required > Items- "/subscriptions/1234ae5d-678b-901d-2f34-56b7890fc1c2/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVirtualNetwork/subnets/mySubnet" Azure CIS v2.0.0 - Control: 4.5.1
Azure > MySQL > Flexible Server > Encryption in TransitCheck: EnabledAzure CIS v2.0.0 - Control: 4.4.1
Azure > MySQL > Flexible Server > Minimum TLS VersionCheck: TLS 1.2Azure CIS v2.0.0 - Control: 4.4.2
Azure > MySQL > Server > Encryption in TransitCheck: EnabledAzure CIS v2.0.0 - Control: 4.4.1
Azure > Network > Network Security Group > Ingress Rules > ApprovedCheck: ApprovedAzure CIS v2.0.0 - Control: 4.1.2
Azure > Network > Network Security Group > Ingress Rules > Approved > Rules REJECT $.turbot.cidr:0.0.0.0/0 APPROVE * Azure CIS v2.0.0 - Control: 4.1.2
Azure > PostgreSQL > Flexible Server > Audit LoggingCheck: Audit Logging > *Azure CIS v2.0.0 - Control: 4.3.2
Azure > PostgreSQL > Flexible Server > Audit Logging > Log CheckpointsOnAzure CIS v2.0.0 - Control: 4.3.2
Azure > PostgreSQL > Flexible Server > Encryption in TransitCheck: EnabledAzure CIS v2.0.0 - Control: 4.3.1
Azure > PostgreSQL > Server > ApprovedCheck: ApprovedAzure CIS v2.0.0 - Control: 4.3.7 and 4.3.8
Azure > PostgreSQL > Server > Approved > CustomCalculatedAzure CIS v2.0.0 - Control: 4.3.7 and 4.3.8
Azure > PostgreSQL > Server > Audit LoggingCheck: Audit Logging > *Azure CIS v2.0.0 - Control: 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7 and 4.3.8
Azure > PostgreSQL > Server > Audit Logging > Connection ThrottlingOnAzure CIS v2.0.0 - Control: 4.3.5
Azure > PostgreSQL > Server > Audit Logging > Log CheckpointsOnAzure CIS v2.0.0 - Control: 4.3.2
Azure > PostgreSQL > Server > Audit Logging > Log ConnectionsOnAzure CIS v2.0.0 - Control: 4.3.3
Azure > PostgreSQL > Server > Audit Logging > Log DisconnectionsOnAzure CIS v2.0.0 - Control: 4.3.4
Azure > PostgreSQL > Server > Audit Logging > Log Retention Days>= 4 DaysAzure CIS v2.0.0 - Control: 4.3.6
Azure > PostgreSQL > Server > Encryption in TransitCheck: EnabledAzure CIS v2.0.0 - Control: 4.3.1
Azure > SQL > Database > Encryption at RestCheck: EnabledAzure CIS v2.0.0 - Control: 4.1.5
Azure > SQL > Server > Active Directory AdministratorCheck: Enabled to Active Directory Administrator > NameAzure CIS v2.0.0 - Control: 4.1.4
Azure > SQL > Server > Active Directory Administrator > NamemyAdminUserAzure CIS v2.0.0 - Control: 4.1.4
Azure > SQL > Server > Advanced Data SecurityCheck: EnabledAzure CIS v2.0.0 - Control: 4.2.1, 4.2.2, 4.2.3, 4.2.4 and 4.2.5
Azure > SQL > Server > Advanced Data Security > Threat Protection > Email Addresses- "email@example.com" Azure CIS v2.0.0 - Control: 4.2.1
Azure > SQL > Server > Advanced Data Security > Threat Protection > Notify AdminsEnabledAzure CIS v2.0.0 - Control: 4.2.1
Azure > SQL > Server > Advanced Data Security > Threat Protection > Types- "SQL Injection" - "SQL Injection Vulnerability" - "Data Exfiltration" - "Unsafe Action" - "Access Anomaly" - "Brute Force" Azure CIS v2.0.0 - Control: 4.2.1
Azure > SQL > Server > Advanced Data Security > Vulnerability Assessment > Periodic ScansEnabledAzure CIS v2.0.0 - Control: 4.2.3
Azure > SQL > Server > Advanced Data Security > Vulnerability Assessment > Periodic Scans > Email Addresses- "email@example.com" Azure CIS v2.0.0 - Control: 4.2.4
Azure > SQL > Server > Advanced Data Security > Vulnerability Assessment > Periodic Scans > Notify AdminsEnabledAzure CIS v2.0.0 - Control: 4.2.5
Azure > SQL > Server > Advanced Data Security > Vulnerability Assessment > Storage AccountmystorageaccountAzure CIS v2.0.0 - Control: 4.2.2
Azure > SQL > Server > AuditingCheck: EnabledAzure CIS v2.0.0 - Control: 4.1.1 and 4.1.6
Azure > SQL > Server > Auditing > Retention Days90Azure CIS v2.0.0 - Control: 4.1.1 and 4.1.6
Azure > SQL > Server > Auditing > Storage AccountmystorageaccountAzure CIS v2.0.0 - Control: 4.1.1 and 4.1.6