Azure SQL 漏洞列表

Ensure that an Azure activity log alert is fired whenever "Rename Azure SQL Database" events are triggered within your Microsoft Azure cloud account. Activity log alerts get triggered when a new activity log event that matches the condition specified in the alert configuration occurs. For this conformity rule, the matched condition is "Whenever the Activity Log has an event with Category='Administrative', Signal name='Rename Azure SQL Database (servers/databases)'".

Ensure that an Azure activity log alert is fired whenever "Create/Update Azure SQL Database" events are triggered within your Microsoft Azure cloud account. Activity log alerts get triggered when a new activity log event that matches the condition specified in the alert configuration occurs. For this conformity rule, the matched condition is "Whenever the Activity Log has an event with Category='Administrative', Signal name='Create/Update Azure SQL Database (servers/databases)'".

Ensure that a Microsoft Azure activity log alert is fired whenever a "Delete Azure SQL Database" event is triggered within your cloud account. An Azure activity log alert fires each time the action event that matches the condition specified in the alert configuration is triggered. The alert condition that this conformity rule searches for is "Whenever the Activity Log has an event with Category='Administrative', Signal name='Delete Azure SQL Database (Microsoft.Sql/servers/databases)'".

Ensure that an Azure activity log alert is fired whenever “Create”, “Update” or “Delete SQL Server Firewall Rule” events are triggered in your Microsoft Azure cloud account. Activity log alerts get activated when a new activity log event that matches the condition specified in the alert occurs. In this case, the condition required for the alert is 'Whenever the Administrative Activity Log "Create/Update/Delete server firewall rule (Microsoft.Sql/servers/firewallRules)" has "any" level, with "any" status and event is initiated by "any"'.

Ensure that the "Auditing" feature is enabled within your Microsoft Azure SQL server configuration settings in order to monitor your SQL databases for security, compliance, and troubleshooting purposes. Microsoft Azure allows an SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on that SQL server are audited.

Ensure that Microsoft Azure SQL database servers are using auto-failover groups in order to enable database replication and automatic failover. A Microsoft Azure SQL failover group is designed to automatically manage replication, connectivity, high availability, and failover for a set of SQL databases.

Ensure that Transparent Data Encryption (TDE) with Customer-Managed Keys (CMKs) is enabled for your Microsoft Azure SQL managed instances. The TDE protector configured for your Azure SQL managed instances must be encrypted with a Customer-Managed Key in order to protect your managed SQL databases with a key from your own Azure key vault. This enables you to have full control over the encryption and decryption process and meet strict compliance requirements.

Ensure that your Microsoft Azure SQL server's Transparent Data Encryption protector (i.e. TDE master key) is encrypted with BYOK (Bring Your Own Key), also known as Customer-Managed Key (CMK), in order to protect your SQL databases with a key from your own Azure key vault. Using service-managed keys instead of BYOK can reduce control over encryption keys and security compliance.

Ensure that Transparent Data Encryption (also known as encryption at rest) is enabled for all SQL databases available within your Microsoft Azure cloud account for protecting your data at rest.

Ensure that your Amazon SQL database servers are configured with the email addresses of the concerned data owners, admins or stakeholders in order to receive Vulnerability Assessment (VA) scan reports and alerts for critical events. This setting is only available for SQL servers using the classic SQL Vulnerability Assessment configuration. For new, express configuration, email notifications are enabled by default and cannot be customized.