Skip to main content

๐Ÿ’ผ 4 Database Services

  • Contextual name: ๐Ÿ’ผ 4 Database Services
  • ID: /frameworks/cis-azure-v1.5.0/04
  • Located in: ๐Ÿ’ผ CIS Azure v1.5.0

Descriptionโ€‹

This section covers security recommendations to follow to set general database services policies on an Azure Subscription. Subsections will address specific database types.

Similarโ€‹

Sub Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlags
๐Ÿ’ผ 4.1 SQL Server - Auditing6
ย ย ย ย ๐Ÿ’ผ 4.1.1 Ensure that 'Auditing' is set to 'On' - Level 1 (Automated)11
ย ย ย ย ๐Ÿ’ผ 4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) - Level 1 (Automated)11
ย ย ย ย ๐Ÿ’ผ 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key - Level 2 (Automated)11
ย ย ย ย ๐Ÿ’ผ 4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers - Level 1 (Automated)11
ย ย ย ย ๐Ÿ’ผ 4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database - Level 1 (Automated)
ย ย ย ย ๐Ÿ’ผ 4.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days' - Level 1 (Automated)11
๐Ÿ’ผ 4.2 SQL Server - Microsoft Defender for SQL5
ย ย ย ย ๐Ÿ’ผ 4.2.1 Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers - Level 2 (Automated)
ย ย ย ย ๐Ÿ’ผ 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account - Level 2 (Automated)
ย ย ย ย ๐Ÿ’ผ 4.2.3 Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server - Level 2 (Automated)
ย ย ย ย ๐Ÿ’ผ 4.2.4 Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server - Level 2 (Automated)
ย ย ย ย ๐Ÿ’ผ 4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server - Level 1 (Automated)
๐Ÿ’ผ 4.3 PostgreSQL Database Server8
ย ย ย ย ๐Ÿ’ผ 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server - Level 1 (Automated)11
ย ย ย ย ๐Ÿ’ผ 4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated)11
ย ย ย ย ๐Ÿ’ผ 4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated)11
ย ย ย ย ๐Ÿ’ผ 4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated)11
ย ย ย ย ๐Ÿ’ผ 4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated)11
ย ย ย ย ๐Ÿ’ผ 4.3.6 Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server - Level 1 (Automated)11
ย ย ย ย ๐Ÿ’ผ 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled - Level 1 (Manual)11
ย ย ย ย ๐Ÿ’ผ 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' - Level 1 (Automated)11
๐Ÿ’ผ 4.4 MySQL Database4
ย ย ย ย ๐Ÿ’ผ 4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server - Level 1 (Automated)11
ย ย ย ย ๐Ÿ’ผ 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server - Level 1 (Automated)11
ย ย ย ย ๐Ÿ’ผ 4.4.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server - Level 2 (Manual)
ย ย ย ย ๐Ÿ’ผ 4.4.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server - Level 2 (Manual)
๐Ÿ’ผ 4.5 Cosmos DB2
ย ย ย ย ๐Ÿ’ผ 4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks - Level 2 (Manual)
ย ย ย ย ๐Ÿ’ผ 4.5.2 Ensure That Private Endpoints Are Used Where Possible - Level 2 (Manual)