Benchmark: SQL
Description
This section contains recommendations for configuring SQL resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select SQL.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.all_controls_sqlSnapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.all_controls_sql --shareControls
- Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
- Long-term geo-redundant backup should be enabled for Azure SQL Databases
- SQL databases transparent data encryption should be enabled
- SQL databases should have vulnerability findings resolved
- Ensure that Azure Active Directory Admin is configured
- Public network access on Azure SQL Database should be disabled
- Vulnerability assessment should be enabled on your SQL servers
- Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
- Auditing on SQL server should be enabled
- Ensure that 'Auditing' Retention is 'greater than 90 days'
- SQL servers with auditing to storage account destination should be configured with 90 days retention or higher
- An Azure Active Directory administrator should be provisioned for SQL servers
- Azure Defender for SQL should be enabled for unprotected Azure SQL servers
- SQL servers should use customer-managed keys to encrypt data at rest
- SQL server threat detection should be enabled for all
- Transparent Data Encryption on SQL databases should be enabled
- SQL Server should use a virtual network service endpoint
- Private endpoint connections on Azure SQL Database should be enabled
- Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server
- Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
- Ensure that VA setting 'Send scan reports to' is configured for a SQL server