Skip to main content

๐Ÿ’ผ 4 Database Services

  • Contextual name: ๐Ÿ’ผ 4 Database Services
  • ID: /frameworks/cis-azure-v1.3.0/04
  • Located in: ๐Ÿ’ผ CIS Azure v1.3.0

Descriptionโ€‹

This section covers security recommendations to follow to set general database services policies on an Azure Subscription. Subsections will address specific database types.

Similarโ€‹

  • Internal
    • ID: dec-b-914240ad

Sub Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlags
๐Ÿ’ผ 4.1 SQL Server - Auditing3
ย ย ย ย ๐Ÿ’ผ 4.1.1 Ensure that 'Auditing' is set to 'On' - Level 1 (Automated)11
ย ย ย ย ๐Ÿ’ผ 4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database - Level 1 (Automated)
ย ย ย ย ๐Ÿ’ผ 4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days' - Level 1 (Automated)11
๐Ÿ’ผ 4.2 SQL Server - Azure Defender for SQL5
ย ย ย ย ๐Ÿ’ผ 4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled' - Level 2 (Automated)
ย ย ย ย ๐Ÿ’ผ 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account - Level 2 (Automated)
ย ย ย ย ๐Ÿ’ผ 4.2.3 Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server - Level 2 (Automated)
ย ย ย ย ๐Ÿ’ผ 4.2.4 Ensure that VA setting Send scan reports to is configured for a SQL server - Level 2 (Automated)
ย ย ย ย ๐Ÿ’ผ 4.2.5 Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server - Level 2 (Automated)
๐Ÿ’ผ 4.3 PostgreSQL Database Server8
ย ย ย ย ๐Ÿ’ผ 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server - Level 1 (Automated)11
ย ย ย ย ๐Ÿ’ผ 4.3.2 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server - Level 1 (Automated)11
ย ย ย ย ๐Ÿ’ผ 4.3.3 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated)11
ย ย ย ย ๐Ÿ’ผ 4.3.4 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated)11
ย ย ย ย ๐Ÿ’ผ 4.3.5 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated)11
ย ย ย ย ๐Ÿ’ผ 4.3.6 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated)11
ย ย ย ย ๐Ÿ’ผ 4.3.7 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server - Level 1 (Automated)11
ย ย ย ย ๐Ÿ’ผ 4.3.8 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled - Level 1 (Manual)11
๐Ÿ’ผ 4.4 Ensure that Azure Active Directory Admin is configured - Level 1 (Automated)11
๐Ÿ’ผ 4.5 Ensure SQL server's TDE protector is encrypted with Customer-managed key - Level 2 (Automated)11