Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server

Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for a critical SQL servers.

Risk Level: Low
Cloud Entity: SQL Server on Virtual Machines
CloudGuard Rule ID: D9.AZU.MON.64
Covered by Spectral: No
Category: Compute

GSL LOGIC

SQLServer should not have vulnerabilityAssessments contain [ recurringScansProperties.emails isEmpty() ]

REMEDIATION

From Portal

  1. Go to SQL servers.
  2. Select a server instance
  3. Click on Security Center
  4. Ensure that Azure Defender for SQL is set to Enabled.
  5. Select Configure next to Enabled at subscription-level.
  6. In Section Vulnerability Assessment Settings, configure Storage Accounts if not already.
  7. Configure email ids for concerned data owners/stakeholders at 'Send scan reports to'.
  8. Click Save.

From TF
Set the 'emails' argument under 'recurring_scans' as below:

resource "azurerm_mssql_server_vulnerability_assessment" "example" {
	...
	recurring_scans {
		enabled                   = true
		email_subscription_admins = true
		emails = [
		"[email protected]",
		"[email protected]"
		]
		...
	}
}

From Command Line
Run the below command to reconfigure the SQL server to enable Vulnerability Assessment (VA) Settings-

Update-AzSqlServerVulnerabilityAssessmentSetting -ServerName SERVERNAME -ResourceGroupName RESOURCEGROUPNAME -StorageAccountName STORAGEACCOUNTNAME -RecurringScansInterval Weekly -EmailAdmins $true -NotificationEmail EMAILID

References

  1. https://learn.microsoft.com/en-us/azure/azure-sql/database/sql-vulnerability-assessment?view=azuresql&tabs=azure-powershell
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server_vulnerability_assessment#emails
  3. https://learn.microsoft.com/en-us/powershell/module/az.sql/update-azsqlservervulnerabilityassessmentsetting?view=azps-8.3.0

SQL Server on Virtual Machines

SQL Server on Azure virtual machines enables you to use full versions of SQL Server in the Cloud without having to manage any on-premises hardware. SQL Server VMs also simplify licensing costs when you pay as you go.

Azure virtual machines run in many different geographic regions around the world. They also offer a variety of machine sizes. The virtual machine image gallery allows you to create a SQL Server VM with the right version, edition, and operating system. This makes virtual machines a good option for a many different SQL Server workloads.

Compliance Frameworks

  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset