Benchmark: SQL
Description
This benchmark provides a set of controls that detect Terraform Azure SQL resources deviating from security best practices.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-terraform-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select SQL.
Run this benchmark in your terminal:
powerpipe benchmark run terraform_azure_compliance.benchmark.sqlSnapshot and share results via Turbot Pipes:
powerpipe benchmark run terraform_azure_compliance.benchmark.sql --shareControls
- Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
- SQL databases ledger should be enabled
- SQL databases should have log monitoring enabled
- Long-term geo-redundant backup should be enabled for Azure SQL Databases
- Azure Defender for Azure SQL Database servers should be enabled
- SQL databases should be zone redundant
- Ensure that Azure Active Directory Admin is configured
- Public network access on Azure SQL Database should be disabled
- SQL servers should have Administrator Email Security Alert enabled
- SQL servers should have all Security Alerts enabled
- Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'
- SQL servers with auditing to storage account destination should be configured with 90 days retention or higher
- An Azure Active Directory administrator should be provisioned for SQL servers
- Azure Defender for SQL should be enabled for unprotected Azure SQL servers
- SQL servers should have Email Security Alert enabled
- SQL servers should use the latest TLS version 1.2
- Azure Defender for SQL servers on machines should be enabled