Ensure Azure SQL server ADS Vulnerability Assessment Periodic recurring scans is enabled
Error: Azure SQL server ADS Vulnerability Assessment Periodic recurring scans is disabled
Bridgecrew Policy ID: BC_AZR_GENERAL_71
Checkov Check ID: CKV2_AZURE_3
Severity: LOW
Azure SQL server ADS Vulnerability Assessment Periodic recurring scans is disabled
Description
Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases.
VA setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.
Fix - Buildtime
Terraform
- Resource: azurerm_resource_group, azurerm_sql_server, azurerm_storage_account, azurerm_storage_container, azurerm_mssql_server_security_alert_policy, azurerm_mssql_server_vulnerability_assessment
resource "azurerm_resource_group" "okExample" {
name = "okExample-resources"
location = "West Europe"
}
resource "azurerm_sql_server" "okExample" {
name = "mysqlserver"
resource_group_name = azurerm_resource_group.okExample.name
location = azurerm_resource_group.okExample.location
version = "12.0"
administrator_login = "4dm1n157r470r"
administrator_login_password = "4-v3ry-53cr37-p455w0rd"
}
resource "azurerm_storage_account" "okExample" {
name = "accteststorageaccount"
resource_group_name = azurerm_resource_group.okExample.name
location = azurerm_resource_group.okExample.location
account_tier = "Standard"
account_replication_type = "GRS"
}
resource "azurerm_storage_container" "okExample" {
name = "accteststoragecontainer"
storage_account_name = azurerm_storage_account.okExample.name
container_access_type = "private"
}
resource "azurerm_mssql_server_security_alert_policy" "okExample" {
resource_group_name = azurerm_resource_group.okExample.name
server_name = azurerm_sql_server.okExample.name
state = "Enabled"
}
resource "azurerm_mssql_server_vulnerability_assessment" "okExample" {
server_security_alert_policy_id = azurerm_mssql_server_security_alert_policy.okExample.id
storage_container_path = "${azurerm_storage_account.okExample.primary_blob_endpoint}${azurerm_storage_container.okExample.name}/"
storage_account_access_key = azurerm_storage_account.okExample.primary_access_key
recurring_scans {
enabled = true
email_subscription_admins = true
emails = [
"[email protected]",
"[email protected]"
]
}
}
Updated 10 months ago