Skip to main content

๐Ÿ’ผ 4 Database Services

  • Contextual name: ๐Ÿ’ผ 4 Database Services
  • ID: /frameworks/cis-azure-v2.1.0/04
  • Located in: ๐Ÿ’ผ CIS Azure v2.1.0

Descriptionโ€‹

This section covers security recommendations to follow to set general database services policies on an Azure Subscription. Subsections will address specific database types.

Similarโ€‹

Sub Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlags
๐Ÿ’ผ 4.1 SQL Server - Auditing6
    ๐Ÿ’ผ 4.1.1 Ensure that 'Auditing' is set to 'On' - Level 1 (Automated)11
    ๐Ÿ’ผ 4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) - Level 1 (Automated)11
    ๐Ÿ’ผ 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key - Level 2 (Automated)11
    ๐Ÿ’ผ 4.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers - Level 1 (Automated)11
    ๐Ÿ’ผ 4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database - Level 1 (Automated)1
    ๐Ÿ’ผ 4.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days' - Level 1 (Automated)11
๐Ÿ’ผ 4.3 PostgreSQL Database Server8
    ๐Ÿ’ผ 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server - Level 1 (Automated)11
    ๐Ÿ’ผ 4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated)11
    ๐Ÿ’ผ 4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated)11
    ๐Ÿ’ผ 4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated)11
    ๐Ÿ’ผ 4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated)11
    ๐Ÿ’ผ 4.3.6 Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server - Level 1 (Automated)11
    ๐Ÿ’ผ 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled - Level 1 (Automated)11
    ๐Ÿ’ผ 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' - Level 1 (Automated)11
๐Ÿ’ผ 4.4 MySQL Database4
    ๐Ÿ’ผ 4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server - Level 1 (Automated)11
    ๐Ÿ’ผ 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' (or higher) for MySQL flexible Database Server - Level 1 (Automated)
    ๐Ÿ’ผ 4.4.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server - Level 2 (Manual)
    ๐Ÿ’ผ 4.4.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server - Level 2 (Manual)
๐Ÿ’ผ 4.5 Cosmos DB3
    ๐Ÿ’ผ 4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks - Level 2 (Automated)1
    ๐Ÿ’ผ 4.5.2 Ensure That Private Endpoints Are Used Where Possible - Level 2 (Automated)11
    ๐Ÿ’ผ 4.5.3 Use Entra ID Client Authentication and Azure RBAC where possible. - Level 1 (Manual)1