Skip to main content

๐Ÿ’ผ 5 Database Services

  • Contextual name: ๐Ÿ’ผ 5 Database Services
  • ID: /frameworks/cis-azure-v3.0.0/05
  • Located in: ๐Ÿ’ผ CIS Azure v3.0.0

Descriptionโ€‹

This section covers security recommendations to follow to set general database services policies on an Azure Subscription. Subsections will address specific database types.

Similarโ€‹

Sub Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlags
๐Ÿ’ผ 5.1 Azure SQL Database7
ย ย ย ย ๐Ÿ’ผ 5.1.1 Ensure that 'Auditing' is set to 'On' (Automated)1
ย ย ย ย ๐Ÿ’ผ 5.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) (Automated)1
ย ย ย ย ๐Ÿ’ผ 5.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key (Automated)1
ย ย ย ย ๐Ÿ’ผ 5.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers (Automated)1
ย ย ย ย ๐Ÿ’ผ 5.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database (Automated)1
ย ย ย ย ๐Ÿ’ผ 5.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days' (Automated)1
ย ย ย ย ๐Ÿ’ผ 5.1.7 Ensure Public Network Access is Disabled (Manual)1
๐Ÿ’ผ 5.2 Azure Database for PostgreSQL8
ย ย ย ย ๐Ÿ’ผ 5.2.1 Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server (Automated)1
ย ย ย ย ๐Ÿ’ผ 5.2.2 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server (Automated)1
ย ย ย ย ๐Ÿ’ผ 5.2.3 Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server (Automated)1
ย ย ย ย ๐Ÿ’ผ 5.2.4 Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server (Automated)1
ย ย ย ย ๐Ÿ’ผ 5.2.5 Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled (Automated)1
ย ย ย ย ๐Ÿ’ผ 5.2.6 [LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server (Automated)1
ย ย ย ย ๐Ÿ’ผ 5.2.7 [LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server (Automated)1
ย ย ย ย ๐Ÿ’ผ 5.2.8 [LEGACY] Ensure 'Infrastructure double encryption' for PostgreSQL single server is 'Enabled' (Automated)1
๐Ÿ’ผ 5.3 Azure Database for MySQL4
ย ย ย ย ๐Ÿ’ผ 5.3.1 Ensure server parameter 'require_secure_transport' is set to 'ON' for MySQL flexible server (Automated)1
ย ย ย ย ๐Ÿ’ผ 5.3.2 Ensure server parameter 'tls_version' is set to 'TLSv1.2' (or higher) for MySQL flexible server (Automated)1
ย ย ย ย ๐Ÿ’ผ 5.3.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible server (Automated)1
ย ย ย ย ๐Ÿ’ผ 5.3.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL flexible server (Automated)1
๐Ÿ’ผ 5.4 Azure Cosmos DB3
ย ย ย ย ๐Ÿ’ผ 5.4.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks (Automated)1
ย ย ย ย ๐Ÿ’ผ 5.4.2 Ensure That Private Endpoints Are Used Where Possible (Automated)1
ย ย ย ย ๐Ÿ’ผ 5.4.3 Use Entra ID Client Authentication and Azure RBAC where possible (Manual)1