Governance Policies Azure Data Azure SQL - Azure/az-prototype GitHub Wiki
Governance policies for Azure Sql
Domain: azure-data
| Name | Description |
|---|---|
| SQL Server with AAD-only auth and private endpoint | Complete SQL Server deployment with Entra-only authentication, TDE, threat protection, private endpoint, and diagnostics |
| Description | Instead |
|---|---|
| Do not use SQL authentication with username/password | Use Microsoft Entra (Azure AD) authentication with managed identity |
| Do not set firewall rule 0.0.0.0-255.255.255.255 | Use private endpoints for all connectivity |
| Do not put administrators inline in the server body | Create Microsoft.Sql/servers/administrators and Microsoft.Sql/servers/azureADOnlyAuthentications as separate child resources |
| Do not use SQL DB Contributor role for application data access | Use T-SQL contained users: CREATE USER [app-identity] FROM EXTERNAL PROVIDER |
- SQL Database security best practices
- Azure SQL private endpoints
- AAD-only authentication
- WAF: Azure SQL Database service guide
- SQL Database auditing
- SQL vulnerability assessment
- SQL Database failover groups
| Check | Severity | Description |
|---|---|---|
| AZ-SQL-001 | Required | Create SQL Server with AAD-only authentication via separate child resources |
| AZ-SQL-002 | Required | Create SQL Database with appropriate SKU and settings |
| AZ-SQL-003 | Required | Enable Transparent Data Encryption (TDE) on every database |
| AZ-SQL-004 | Required | Enable Advanced Threat Protection on the SQL Server |
| AZ-SQL-005 | Required | Disable public network access and enforce TLS 1.2 minimum |
| AZ-SQL-006 | Required | Enable diagnostic settings to Log Analytics workspace |
| AZ-SQL-007 | Recommended | Use serverless tier (GP_S_Gen5) for POC and dev/test workloads |
| AZ-SQL-008 | Required | Enable SQL Database auditing on the logical server |
| AZ-SQL-009 | Recommended | Enable SQL Vulnerability Assessment on the SQL Server |
| AZ-SQL-010 | Recommended | Configure zone redundancy for Business Critical or Premium tier databases |
| AZ-SQL-011 | Recommended | Use failover groups for automatic geo-failover of critical databases |
Create SQL Server with AAD-only authentication via separate child resources
Severity: Required
Rationale: Centralised identity management via Entra ID; SQL auth passwords are a security liability
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Sql/servers
Create SQL Database with appropriate SKU and settings
Severity: Required
Rationale: Databases must be created as child resources of the server with explicit SKU configuration
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Sql/servers/databases
Enable Transparent Data Encryption (TDE) on every database
Severity: Required
Rationale: Data-at-rest encryption is a baseline security requirement
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Sql/servers/databases
Enable Advanced Threat Protection on the SQL Server
Severity: Required
Rationale: Detects anomalous database activities indicating potential security threats
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Sql/servers
Disable public network access and enforce TLS 1.2 minimum
Severity: Required
Rationale: Prevents direct internet access; all connections must traverse private endpoints
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Sql/servers
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/privateEndpoints | pe-sql | Private endpoint for SQL Server — required when publicNetworkAccess is Disabled |
| Microsoft.Network/privateDnsZones/virtualNetworkLinks | privatelink.database.windows.net | Private DNS zone for SQL Server private endpoint resolution |
Enable diagnostic settings to Log Analytics workspace
Severity: Required
Rationale: Audit trail for access, query performance, and security events
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Sql/servers/databases
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Insights/diagnosticSettings | diag-sql | Diagnostic settings for SQL Database to Log Analytics |
Use serverless tier (GP_S_Gen5) for POC and dev/test workloads
Severity: Recommended
Rationale: Auto-pause reduces costs for intermittent usage patterns
Agents: cloud-architect, cost-analyst, terraform-agent, bicep-agent
- Microsoft.Sql/servers/databases
Enable SQL Database auditing on the logical server
Severity: Required
Rationale: WAF Security: Auditing tracks database events and writes them to an audit log, maintaining regulatory compliance and providing insight into database activity
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.Sql/servers
Enable SQL Vulnerability Assessment on the SQL Server
Severity: Recommended
Rationale: WAF Security: Built-in service that identifies, tracks, and helps remediate potential database vulnerabilities with actionable remediation scripts
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.Sql/servers
Configure zone redundancy for Business Critical or Premium tier databases
Severity: Recommended
Rationale: WAF Reliability: Zone-redundant availability distributes compute and storage across availability zones, maintaining operations during zone failures
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.Sql/servers/databases
Use failover groups for automatic geo-failover of critical databases
Severity: Recommended
Rationale: WAF Reliability: Failover groups automate failover from primary to secondary with read-write and read-only listener endpoints that remain unchanged during geo-failovers
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.Sql/servers