Enterprise-Scale icon indicating copy to clipboard operation
Enterprise-Scale copied to clipboard
verified publisher icon Azure

Feature Request - Apply, modify and improve "Deploy SQL Database built-in SQL security configuration" / "Deploy-Sql-Security"

Open vegazbabz opened this issue 2 years ago • 1 comments

1

The policy initiative "Deploy SQL Database built-in SQL security configuration" (Deploy-Sql-Security) is missing from the policy list under Landing Zones. Although a couple of the policies in this initiative are located as single policies under this list (see point 2 and 4).

Only information about this initiative is found here: https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/azpol.md#provide-comprehensive-security-for-sql-databases

2

The policy "Deploy-SQL-TDE" ("displayName": "Deploy TDE on SQL servers") is the built-in policy "Deploy SQL DB transparent data encryption". This built-in policy is already part of the policy initiative "Deploy SQL Database built-in SQL security configuration" (Deploy-Sql-Security) and should be removed as a single policy from the policy list under Landing Zones.

3

Deprecation of https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments.html which you have as an example here https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#preview-and-deprecated-policies This should be replaced in the policy initiative "Deploy SQL Database built-in SQL security configuration" (Deploy-Sql-Security)

4

Add this built-in policy "Configure SQL servers to have auditing enabled to Log Analytics workspace" to the policy initiative "Deploy SQL Database built-in SQL security configuration" (Deploy-Sql-Security). This built-in policy is currently part of the policy list under Landing Zones.

5

Improve the built-in policy "Configure Azure Defender to be enabled on SQL servers" with the same parameters as "Deploy SQL Database security Alert Policies configuration with email admin accounts" (Deploy-Sql-SecurityAlertPolicies) with the purpose of deprecating the ALZ custom policy.

vegazbabz avatar Jan 27 '24 09:01 vegazbabz

Hi @vegazbabz, sorry for the long delay in response:

  1. Note that we only document policies/initiatives that are assigned by default by RIs. The Deploy-Sql-Security initiative is not assigned by default because of some of the parameters required on assignment. We'll update the Policies-Extra document to include a description for this initiative (AB#37709)
  2. We had a PG requirement to deploy TDE by default, which is why it is duplicated. The initiative is optional, and not assigned by default.
  3. Done
  4. Done
  5. This will take a long time to get remediated which is why we have the custom policy.

Springstone avatar Oct 10 '24 12:10 Springstone