Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for a critical SQL servers.
Risk Level: Low
Cloud Entity: SQL Server on Virtual Machines
CloudGuard Rule ID: D9.AZU.MON.64
Covered by Spectral: No
Category: Compute
GSL LOGIC
SQLServer should not have vulnerabilityAssessments contain [ recurringScansProperties.emails isEmpty() ]
REMEDIATION
From Portal
- Go to SQL servers.
- Select a server instance
- Click on Security Center
- Ensure that Azure Defender for SQL is set to Enabled.
- Select Configure next to Enabled at subscription-level.
- In Section Vulnerability Assessment Settings, configure Storage Accounts if not already.
- Configure email ids for concerned data owners/stakeholders at 'Send scan reports to'.
- Click Save.
From TF
Set the 'emails' argument under 'recurring_scans' as below:
resource "azurerm_mssql_server_vulnerability_assessment" "example" {
...
recurring_scans {
enabled = true
email_subscription_admins = true
emails = [
"[email protected]",
"[email protected]"
]
...
}
}
From Command Line
Run the below command to reconfigure the SQL server to enable Vulnerability Assessment (VA) Settings-
Update-AzSqlServerVulnerabilityAssessmentSetting -ServerName SERVERNAME -ResourceGroupName RESOURCEGROUPNAME -StorageAccountName STORAGEACCOUNTNAME -RecurringScansInterval Weekly -EmailAdmins $true -NotificationEmail EMAILID
References
- https://learn.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment?view=azuresql&tabs=azure-powershell
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server_vulnerability_assessment#emails
- https://learn.microsoft.com/en-us/powershell/module/az.sql/update-azsqlservervulnerabilityassessmentsetting?view=azps-8.3.0
SQL Server on Virtual Machines
SQL Server on Azure virtual machines enables you to use full versions of SQL Server in the Cloud without having to manage any on-premises hardware. SQL Server VMs also simplify licensing costs when you pay as you go.
Azure virtual machines run in many different geographic regions around the world. They also offer a variety of machine sizes. The virtual machine image gallery allows you to create a SQL Server VM with the right version, edition, and operating system. This makes virtual machines a good option for a many different SQL Server workloads.
Compliance Frameworks
- Azure CIS Foundations v. 1.2.0
- Azure CIS Foundations v. 1.3.0
- Azure CIS Foundations v. 1.3.1
- Azure CIS Foundations v. 1.4.0
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago