Azure SQL Server Advanced Data Security Is Disabled

Advanced data security (ADS) provides a set of advanced SQL security capabilities, including vulnerability assessment, threat detection, and data discovery and classification. This policy identifies Azure SQL servers that do not have ADS enabled. As a best practice, enable ADS on mission-critical SQL servers.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

Azure SQL Server advanced data security is disabled.
JSON Query:
$.resource.*.azurerm_sql_server size greater than 0 and ($.resource.*.azurerm_mssql_server_security_alert_policy size == 0 or $.resource.*.azurerm_mssql_server_security_alert_policy[*].*[*].state anyEqual "Disabled" or $.resource.*.azurerm_mssql_server_security_alert_policy[*].*[*].retention_days anyNull )
Recommendation:
Recommended solution for enabling advanced data security for Azure SQL Server.
It is recommended to have Azure SQL Server advanced data security enabled. Please make sure if your template have "azurerm_mssql_server_security_alert_policy" resource defined and the "state" is set to "enabled".
For example:
"azurerm_mssql_server_security_alert_policy": [ { "<mssql_server_security_alert_policy_name>": [ { "resource_group_name": "azurerm_resource_group.example.name", "retention_days": 20, "server_name": "azurerm_sql_server.example.name", "state": "Disabled" } ] } ]

Run Rule Recommendation

  1. Log in to the Azure portal.
  2. Select 'SQL servers', and select the SQL server you need to modify.
  3. Select 'Advanced Data Security', and set status as 'ON'.
  4. 'Save' your changes.

Compliance

There are 3 standards that are applicable to this policy:
  • CIS v1.1 (Azure)
  • PIPEDA
  • CCPA 2018

Recommended For You