AzInitiativeAdvertizer

last sync: 2024-Nov-25 18:54:43 UTC

[Preview]: Control the use of Microsoft SQL in a Virtual Enclave

Azure BuiltIn Policy Initiative (PolicySet)

Source Azure Portal
Display name[Preview]: Control the use of Microsoft SQL in a Virtual Enclave
Id0fbe78a5-1722-4f1b-83a5-89c14151fa60
Version1.0.0-preview
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.0-preview
Built-in Versioning [Preview]
CategoryVirtualEnclaves
Microsoft Learn
DescriptionThis initiative deploys Azure policies for Microsoft SQL ensuring boundary protection of this resource while it operates within the logically separated structure of Azure Virtual Enclaves. https://aka.ms/VirtualEnclaves
TypeBuiltIn
DeprecatedFalse
PreviewTrue
Policy count Total Policies: 23
Builtin Policies: 23
Static Policies: 0
Policy used
Policy DisplayName Policy Id Category Effect Roles# Roles State
An Azure Active Directory administrator should be provisioned for SQL servers 1f314764-cb73-4fc9-b863-8eca98ac36e9 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA
Auditing on SQL server should be enabled a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA
Azure Defender for SQL should be enabled for unprotected Azure SQL servers abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA
Azure SQL Database should be running TLS version 1.2 or newer 32e6bbec-16b6-44c2-be37-c5b672d103cf SQL Default
Audit
Allowed
Audit, Disabled, Deny		 0 GA
Azure SQL Database should have Microsoft Entra-only authentication enabled during creation abda6d70-9778-44e7-84a8-06713e6db027 SQL Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA
Azure SQL Managed Instances should disable public network access 9dfea752-dd46-4766-aed1-c355fa93fb91 SQL Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA
Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation 78215662-041e-49ed-a9dd-5385911b3a1f SQL Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA
Configure Azure Defender to be enabled on SQL managed instances c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd SQL Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled		 1 SQL Security Manager GA
Configure Azure Defender to be enabled on SQL servers 36d49e87-48c4-4f2e-beed-ba4ed02b71f5 SQL Fixed
DeployIfNotExists		 1 SQL Security Manager GA
Configure Azure SQL Server to disable public network access 28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b SQL Default
Modify
Allowed
Modify, Disabled		 1 SQL Server Contributor GA
Deploy SQL DB transparent data encryption 86a912f6-9a06-4e26-b447-11b16ba8659f SQL Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled		 1 SQL DB Contributor GA
Private endpoint connections on Azure SQL Database should be enabled 7698e800-9299-47a6-b3b6-5a0fee576eed SQL Default
Audit
Allowed
Audit, Disabled		 0 GA
Public network access on Azure SQL Database should be disabled 1b8ca024-1d5c-4dec-8995-b1a932b41780 SQL Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA
SQL databases should have vulnerability findings resolved feedbf84-6b99-488c-acc2-71c829aa5ffc Security Center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA
SQL Managed Instance should have the minimal TLS version of 1.2 a8793640-60f7-487c-b5c3-1d37215905c4 SQL Default
Audit
Allowed
Audit, Disabled		 0 GA
SQL managed instances should use customer-managed keys to encrypt data at rest ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 SQL Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA
SQL Server should use a virtual network service endpoint ae5d2f14-d830-42b6-9899-df6cfe9c71a3 Network Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA
SQL servers should use customer-managed keys to encrypt data at rest 0a370ff3-6cab-4e85-8995-295fd854c5b8 SQL Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 89099bee-89e0-4b26-a5f4-165451757743 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA
Transparent Data Encryption on SQL databases should be enabled 17k78e20-9358-41c9-923c-fb736d382a12 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA
Vulnerability assessment should be enabled on SQL Managed Instance 1b7aa243-30e4-4c9e-bca8-d0d3022b634a SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA
Vulnerability assessment should be enabled on your SQL servers ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 SQL Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA
Roles used Total Roles usage: 4
Total Roles unique usage: 3
Role Role Id Policies count Policies
SQL Security Manager 056cd41c-7e88-42e1-933e-88ba6a50c9c3 2 Configure Azure Defender to be enabled on SQL managed instances, Configure Azure Defender to be enabled on SQL servers
SQL DB Contributor 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec 1 Deploy SQL DB transparent data encryption
SQL Server Contributor 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 1 Configure Azure SQL Server to disable public network access
History
Date/Time (UTC ymd) (i) Changes
2024-01-17 19:06:27 add Initiative 0fbe78a5-1722-4f1b-83a5-89c14151fa60
JSON compare n/a
JSON
api-version=2021-06-01
EPAC