Ensure that SQL Database Auditing Retention is greater than 90 days

SQL Server Audit Retention should be configured to be greater than 90 days. Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.

Risk Level: Low
Cloud Entity: Azure SQL Database
CloudGuard Rule ID: D9.AZU.MON.48
Covered by Spectral: No
Category: Database

GSL LOGIC

SQLDB should have auditing.retentionDays>90

REMEDIATION

From Portal

  1. Sign in to Azure Management Console
  2. Go to 'SQL Database'
  3. For each Database, click on Auditing
  4. Select Storage Details and set Retention (days) setting greater than 90 days
  5. Select Save.

From TF
Set the 'retention_in_days' arguments under 'azurerm_sql_database' as below:

resource "azurerm_sql_database" "example" {
	...
	retention_in_days    = "NumberOfRetentionDays"
	...
}

From Command Line
Run

az sql db audit-policy update --resource-group RESOURCEGROUPNAME --name DBNAME --state Enabled --bsts Enabled --storage-account STORAGEACCOUNTNAME --retention-days NUMBEROFDAYS

NOTE : NUMBEROFDAYS should be greater than 90 days

References

  1. https://learn.microsoft.com/en-us/azure/azure-sql/database/auditing-overview?view=azuresql
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_database#retention_in_days
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server
  4. https://docs.microsoft.com/en-us/cli/azure/sql/db/audit-policy?view=azure-cli-latest#az_sql_db_audit_policy_update

Azure SQL Database

Azure SQL Database is the intelligent, fully managed relational cloud database service that provides the broadest SQL Server engine compatibility, so you can migrate your SQL Server databases without changing your apps. Accelerate app development and make maintenance easy and productive using the SQL tools you love to use. Take advantage of built-in intelligence that learns app patterns and adapts to maximize performance, reliability, and data protection.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset