Best practice rules for Sql
- Check for Publicly Accessible SQL Servers
Ensure that Azure SQL database servers are accessible via private endpoints only.
- Check for Sufficient Point in Time Restore (PITR) Backup Retention Period
Ensure there is a sufficient PITR backup retention period configured for Azure SQL databases.
- Check for Unrestricted SQL Database Access
Ensure that no SQL databases allow unrestricted inbound access from 0.0.0.0/0 (any IP address).
- Configure "AuditActionGroup" for SQL Server Auditing
Ensure that "AuditActionGroup" property is well configured at the Azure SQL database server level.
- Configure Emails for Classic Vulnerability Assessment Scan Reports and Alerts
Configure Vulnerability Assessment scan reports and alerts via email for SQL database servers with classic configuration.
- Detect Create, Update, and Delete SQL Server Firewall Rule Events
SQL Server firewall rule changes have been detected in your Microsoft Azure cloud account.
- Enable Advanced Data Security for SQL Servers
Ensure that Advanced Data Security (ADS) is enabled at the Azure SQL database server level.
- Enable All Types of Threat Detection on SQL Servers
Enable all types of threat detection for your Microsoft Azure SQL database servers.
- Enable Auditing for SQL Servers
Ensure that database auditing is enabled at the Azure SQL database server level.
- Enable Auto-Failover Groups
Ensure that your Azure SQL database servers are configured to use auto-failover groups.
- Enable Automatic Tuning for SQL Database Servers
Ensure that Automatic Tuning feature is enabled for Microsoft Azure SQL database servers.
- Enable Classic Vulnerability Assessment Email Notifications for Admins and Subscription Owners
Configure Vulnerability Assessment to send email notifications to admins and subscription owners using the classic configuration (Not Scored).
- Enable Transparent Data Encryption for SQL Databases
Ensure that Transparent Data Encryption (TDE) is enabled for every Azure SQL database.
- Enable Transparent Data Encryption for SQL Managed Instance using Customer-Managed Keys
Ensure that Azure SQL managed instances are encrypted at rest using Customer-Managed Keys (CMKs).
- Enable Vulnerability Assessment Periodic Recurring Scans
Ensure that Vulnerability Assessment Periodic Recurring Scans are enabled for SQL database servers (Not Scored).
- Enable Vulnerability Assessment for Microsoft SQL Servers
Ensure that Vulnerability Assessment is enabled for Microsoft SQL database servers (Not Scored).
- Minimum TLS Version
Ensure that "Minimum TLS version" is set to "TLS 1.2" for all Azure SQL managed instances.
- SQL Auditing Retention
Ensure that SQL database auditing has a sufficient log data retention period configured.
- Use BYOK for Transparent Data Encryption
Use Bring Your Own Key (BYOK) support for Transparent Data Encryption (TDE).
- Use Microsoft Entra Admin for SQL Authentication
Ensure that an Microsoft Entra admin is configured for SQL authentication.