module/ConfigurationProvider/ControlConfigurations/Services/DBForMySql.json
|
{
"FeatureName": "DBForMySql", "Reference": "aka.ms/azsktcp/DBForMySql", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_DBforMySQL_AuthZ_Firewall_Deny_AzureServices_Access", "DisplayName": "Use the 'Allow access to Azure services' flag for DBForMySQL only if required", "Description": "Use the 'Allow access to Azure services' flag for DBForMySQL only if required", "Id": "DBforMySql100", "ControlSeverity": "Medium", "Category": "Management interfaces and ports must not be open", "ControlRequirements": "Restrict network traffic flows", "Automated": "Yes", "MethodName": "CheckMySQLFirewallAccessAzureService", "Rationale": "The 'Allow access to Azure services' setting configures a very broad range of IP addresses from Azure as permitted to access the MySQL Server. Please make sure your scenario really requires this setting before enabling it. Turning it ON exposes your MySQL Server to risk of attacks from resources (IPs) owned by others in the Azure region.", "Recommendation": "1. Turn 'OFF' the 'Allow access to Azure services' setting. 2. Remove IP range from firewall rules. Refer: https://docs.microsoft.com/en-us/azure/mysql/concepts-firewall-rules#connecting-from-azure", "Tags": [ "SDL", "TCP", "AuthZ", "Automated", "Weekly" ], "Enabled": true, "CustomTags": [], "ControlSettings": { "FirewallRuleName_AllowAzureIps": "AllowAllWindowsAzureIps" }, "ControlEvaluationDetails": { "RequiredProperties": [ "FirewallRules" ] } }, { "ControlID": "Azure_DBforMySQL_NetSec_Dont_Allow_Universal_IP_Range", "Description": "Do not use Any-to-Any IP range for Azure Database for MySQL.", "Id": "DBforMySql110", "ControlSeverity": "High", "DisplayName": "Do not use Any-to-Any IP range for Azure Database for MySQL", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlEvaluationDetails": { "RequiredProperties": [ "FirewallRules" ] }, "Automated": "Yes", "MethodName": "CheckMySQLFirewallIpRange", "Rationale": "Using the firewall feature ensures that access to the data or the service is restricted to a specific set/group of clients. NOTE: While this control does provide an extra layer of access control protection, it may not always be feasible to implement in all scenarios.", "Recommendation": "Do not configure 'Any to Any' firewall IP address. Refer: https://docs.microsoft.com/en-us/azure/mysql/concepts-firewall-rules.", "Tags": [ "SDL", "TCP", "NetSec", "Automated", "Baseline", "Weekly" ], "ControlSettings": { "IPRangeStartIP": "0.0.0.0", "IPRangeEndIP": "255.255.255.255", "FirewallRuleName_AllowAzureIps": "AllowAllWindowsAzureIps" }, "Enabled": true, "CustomTags": [] }, { "ControlID": "Azure_DBforMySQL_Authz_Enable_SSL_Connection", "Description": "SSL connection must be enabled for Azure Database for MySQL", "Id": "DBforMySQL120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMySQLSSLConnection", "DisplayName": "SSL connection must be enabled for Azure Database for MySQL", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.", "Recommendation": "To enable SSL connection for Azure Database for MySQL server, refer https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security.", "Tags": [ "SDL", "TCP", "Authz", "Automated", "Baseline", "Weekly" ], "Enabled": true, "CustomTags": [], "ControlEvaluationDetails": { "RequiredProperties": [ "SSLState" ] } }, { "ControlID": "Azure_DBforMySQL_NetSec_Configure_VNet_Rules", "Description": "Consider using virtual network rules for improved isolation", "Id": "DBforMySQL130", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckMySQLServerVnetRules", "Rationale": "Virtual network rules provides isolation for your Azure Database for MySQL by permitting only the specified virtual networks to access the database server.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/mysql/concepts-data-access-and-security-vnet", "Tags": [ "SDL", "TCP", "NetSec", "Automated" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_DBforMySQL_BCDR_Plan", "Description": "Backup and Disaster Recovery must be planned at the time of creation of Azure Database for MySql service", "Id": "DBforMySQL140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckMySQLBCDRStatus", "Rationale": "Azure Database for MySQL offers default backup/disaster recovery for 7 days that can be extended up to 35 days. You can choose between locally redundant or geo-redundant backup storage. When processing critical workloads, a team must have adequate backups of the data.", "Recommendation": "Ensure back up settings for Azure Database for MySQL have been set correctly.", "Tags": [ "SDL", "TCP", "BCDR", "Automated" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_DBforMySQL_Audit_Enable_ATP", "Description": "Advanced Threat Protection must be enabled for Azure Database for MySQL", "Id": "DBforMySQL150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMySQLATPSetting", "DisplayName": "Enable Threat detection for MySQL database", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Advanced Threat Protection for Azure Database for MySQL provides a layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/mysql/concepts-data-access-and-security-threat-protection", "Tags": [ "SDL", "TCP", "Audit", "Automated", "Baseline", "Weekly" ], "Enabled": true, "ControlSettings": { "UnsupportedTier": [ "Basic" ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "ATPStatus", "Tier", "SecurityAlertPolicy" ] }, "CustomTags": [ "P2", "Wave99", "SN:mySQL_TDE" ] }, { "ControlID": "Azure_DBforMySQL_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled for Azure Database for MySQL", "Id": "DBforMySQL160", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "DisplayName": "Diagnostics logs must be enabled for Azure Database for MySQL", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.", "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings.", "Tags": [ "SDL", "TCP", "Audit", "Diagnostics", "DBforMySQL", "Automated", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DiagnosticSetting" ] }, "Enabled": true, "ControlSettings": { "DiagnosticForeverRetentionValue": "0", "DiagnosticMinRetentionPeriod": "365", "DiagnosticLogs": [ "MySqlAuditLogs" ] }, "CustomTags": [] }, { "ControlID": "Azure_DBforMySQL_Audit_Review_Logs", "Description": "Diagnostic and activity logs for Azure Database for MySQL should be reviewed periodically", "Id": "DBforMySQL170", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Periodic reviews of diagnostics, activity and audit logs ensures that anomalous activity can be identified early enough instead of after a major compromise.", "Recommendation": "Review diagnostic/activity logs to check activities on the resource. Refer: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-of-diagnostic-logs and https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs", "Tags": [ "SDL", "Best Practice", "Manual", "Audit", "DBforMySQL" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_DBforMySQL_AuthZ_Grant_Min_Access", "Description": "Access to Azure Database for MySQL Servers must be granted in accordance with the principle of least privilege", "Id": "DBforMySQL180", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Granting minimum access ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/mysql/howto-create-users#how-to-create-database-users-in-azure-database-for-mysql", "Tags": [ "SDL", "TCP", "Manual", "AuthZ", "RBAC" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_DBforMySQL_DP_Use_Secure_TLS_Version", "Description": "Use approved version of TLS for Azure Database for MySQL", "Id": "DBforMySQL190", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckMySQLTLSVersion", "DisplayName": "Use approved version of TLS for Azure Database for MySQL", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "TLS provides privacy and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "To Configure 'Minimum TLS Version' setting for 'Azure Database for MySQL' single server, go to Azure Portal --> Your Resource --> Connection Security --> Enable SSL, if Disabled --> Set the Minimum TLS Version to latest version. Refer: https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security#tls-enforcement-in-azure-database-for-mysql", "Tags": [ "SDL", "TCP", "DP", "Automated", "Baseline", "Weekly" ], "Enabled": true, "CustomTags": [], "ControlSettings": { "MinReqTLSVersion": "1.2" } } ] } |