Azure SQL
Overview
Critical
0High
2Medium
16Low
3Informational
0Security issues (21)
| Severity | Non-Compliance | Region | Resource | Issue | Remediation | Read more | Action |
|---|---|---|---|---|---|---|---|
| Medium | HIPAA (Backup) | eastus | master | SQL Database is not restorable. | To fulfill HIPAA requirements on backups of all user data and inventory to secure its future availability, ensure that SQL Database instances can be restored to a recent point. | More info | |
| Low | — | eastus | master | SQL Database is not configured to be zone redundant. | To avoid a single point of failure for all systems relying on SQL Databases, ensure that all SQL Database instances are created in multiple availability zones. | More info | |
| Medium | CIS 4.1.1 PCI DSS 10.2 HIPAA (Audit) | eastus | my-sql-db | SQL Database has Database Auditing disabled. | To fulfill HIPAA requirements on secure audit record for read/write/delete activities in the system, ensure that SQL Database Auditing is enabled. | More info | |
| Medium | HIPAA (Backup) | eastus | my-sql-db | SQL Database is configured to retain backups for 5 days, while the recommended limit is 7 days. | To fulfill HIPAA requirements on backups of all user data and inventory to secure its future availability, ensure that SQL Databases have a sufficient Point in Time Restore (PITR) backup retention period configured. | More info | |
| Medium | CIS 4.4.2 PCI DSS (Old Protocols) HIPAA (Encryption) | eastus | prevasio-sql-server | SQL Server has TLS version 1.1, which is lower than the desired TLS version 1.2. | To comply with the industry standards, ensure TLS 1.2 or higher is used for all TLS connections to SQL Servers. | More info | |
| Medium | CIS 4.1.6 PCI DSS 10.2 HIPAA (Audit) | eastus | prevasio-sql-server | SQL Server Auditing retention is 10 days, while the recommended limit is 90 days. | To fulfill HIPAA requirements on secure audit record for read/write/delete activities in the system, ensure that SQL Servers have a sufficient log data retention period, i.e. 90 days or more. | More info | |
| Medium | — | eastus | prevasio-sql-server | SQL Server has no automatic tuning configured for indexes createIndex, dropIndex, forceLastGoodPlan. | To monitor database queries and improve database workload performance, ensure that SQL Servers have automatic tuning enabled. | More info | |
| High | CIS 4.1.2 | eastus | prevasio-sql-server | SQL Server is open to outside traffic. | In order to eliminate the exposure from the public Internet, ensure that your SQL Database Servers are accessible through private endpoints instead of public IP addresses or service endpoints. | More info | |
| Medium | CIS 4.1.1 PCI DSS 10.2 HIPAA (Audit) | westus | master | SQL Database has Database Auditing disabled. | To fulfill HIPAA requirements on secure audit record for read/write/delete activities in the system, ensure that SQL Database Auditing is enabled. | More info | |
| Medium | HIPAA (Backup) | westus | master | SQL Database is not restorable. | To fulfill HIPAA requirements on backups of all user data and inventory to secure its future availability, ensure that SQL Database instances can be restored to a recent point. | More info | |
| Low | — | westus | master | SQL Database is not configured to be zone redundant. | To avoid a single point of failure for all systems relying on SQL Databases, ensure that all SQL Database instances are created in multiple availability zones. | More info | |
| Low | CIS 4.1.2 | westus | prevasio-sql-server2 | SQL Server has no private endpoints configured. | To connect your virtual network to services in Azure without a public IP address at the source or destination, ensure the SQL Servers are accessible only through private endpoints. | More info | |
| Medium | — | westus | prevasio-sql-server2 | SQL Server has no auto-failover groups configured. | To enable database replication and automatic failover, ensure that SQL Servers are using auto-failover groups. | More info | |
| Medium | CIS 4.4.2 PCI DSS (Old Protocols) HIPAA (Encryption) | westus | prevasio-sql-server2 | SQL Server has TLS version set to EnforcementDisabled, while the desired TLS version is 1.2. | To comply with the industry standards, ensure TLS 1.2 or higher is used for all TLS connections to SQL Servers. | More info | |
| Medium | — | westus | prevasio-sql-server2 | SQL Server has Advanced Data Security disabled. | To provide a set of advanced SQL security capabilities for your SQL Database Servers, ensure that Advanced Data Security is enabled within your SQL Server configuration settings. | More info | |
| Medium | westus | prevasio-sql-server2 | SQL Server has no Email Account Admins enabled. | To send monitored data for unusual activity, vulnerabilities, and threats to the account admins and subscription owners, ensure that advanced data security for SQL Servers has Email Account Admins enabled. | More info | ||
| High | westus | prevasio-sql-server2 | SQL Server has no list of emails configured to which alerts could be sent upon detection of anomalous activities. | To send alerts on unusual activity, vulnerabilities, and threats, specify email address(es) under "Send alerts to" in Advanced Threat Protection settings of Microsoft Defender for SQL. | More info | ||
| Medium | CIS 4.1.1 PCI DSS 10.2 HIPAA (Audit) | westus | prevasio-sql-server2 | SQL Server has Database Auditing disabled. | To fulfill HIPAA requirements on secure audit record for read/write/delete activities in the system, ensure that SQL Server Auditing is enabled. | More info | |
| Medium | PCI DSS 10.2 HIPAA (Audit) | westus | prevasio-sql-server2 | SQL Server has Audit Action and Groups disabled. | To fulfill HIPAA requirements on secure audit record for read/write/delete activities in the system, ensure SQL Server Audit Action and Groups is configured to at least include SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP and BATCH_COMPLETED_GROUP. | More info | |
| Medium | CIS 4.1.4 | westus | prevasio-sql-server2 | SQL Server uses no Active Directory administrator. | To centrally manage identity and access to your SQL Database Servers, ensure that SQL Servers use an Active Directory administrator. | More info | |
| Medium | CIS 4.1.3 | westus | prevasio-sql-server2 | SQL Server has TDE (Transparent data encryption) that uses Microsoft managed key instead of BYOK (Bring Your Own Key). | For greater control, transparency and increasing security by having full control of the encryption keys, ensure your SQL Server data at rest is protected with a key from your own Azure key vault. | More info |
SQL databases (3)
| Database name | Location | Server | Kind | Created | Status | Security issues |
|---|---|---|---|---|---|---|
| master | East US | prevasio-sql-server | V12.0,system | Online | 1 Medium + 1 other (details) | |
| my-sql-db | East US | prevasio-sql-server | V12.0,user,vcore | Online | 2 Medium (details) | |
| master | West US | prevasio-sql-server2 | V12.0,system | Online | 2 Medium + 1 other (details) |
SQL servers (2)
| Server name | Location | Resource group | Status | Kind | Minimal TLS version | Public network access | Security issues |
|---|---|---|---|---|---|---|---|
| prevasio-sql-server | East US | prevasio-web-app_group | Ready | v12.0 | 1.1 | Enabled | 1 High + 3 others (details) |
| prevasio-sql-server2 | West US | test-clust_group | Ready | v12.0 | TLSEnforcementDisabled | Enabled | 1 High + 9 others (details) |