Ensure Azure SQL server ADS Vulnerability Assessment is enabled

Error: Azure SQL server ADS Vulnerability Assessment is disabled

Bridgecrew Policy ID: BC_AZR_GENERAL_70
Checkov Check ID: CKV2_AZURE_2
Severity: LOW

Azure SQL server ADS Vulnerability Assessment is disabled

Description

Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.
Enabling Azure Defender for SQL server does not enables Vulnerability Assessment capability for individual SQL databases unless storage account is set to store the scanning data and reports.
The Vulnerability Assessment service scans databases for known security vulnerabilities and highlight deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Additionally an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database settings.
We recommend you ensure Vulnerability Assessment is enabled on a SQL server by setting a Storage Account.

Fix - Buildtime

Terraform

  • Resource: azurerm_resource_group, azurerm_sql_server, azurerm_storage_account, azurerm_storage_container, azurerm_mssql_server_security_alert_policy, azurerm_mssql_server_vulnerability_assessment
resource "azurerm_resource_group" "okExample" {
  name     = "okExample-resources"
  location = "West Europe"
}

resource "azurerm_sql_server" "okExample" {
  name                         = "mysqlserver"
  resource_group_name          = azurerm_resource_group.okExample.name
  location                     = azurerm_resource_group.okExample.location
  version                      = "12.0"
  administrator_login          = "4dm1n157r470r"
  administrator_login_password = "4-v3ry-53cr37-p455w0rd"
}

resource "azurerm_storage_account" "okExample" {
  name                     = "accteststorageaccount"
  resource_group_name      = azurerm_resource_group.okExample.name
  location                 = azurerm_resource_group.okExample.location
  account_tier             = "Standard"
  account_replication_type = "GRS"
}

resource "azurerm_storage_container" "okExample" {
  name                  = "accteststoragecontainer"
  storage_account_name  = azurerm_storage_account.okExample.name
  container_access_type = "private"
}

resource "azurerm_mssql_server_security_alert_policy" "okExample" {
  resource_group_name = azurerm_resource_group.okExample.name
  server_name         = azurerm_sql_server.okExample.name
  state               = "Enabled"
}

resource "azurerm_mssql_server_vulnerability_assessment" "okExample" {
  server_security_alert_policy_id = azurerm_mssql_server_security_alert_policy.okExample.id
  storage_container_path          = "${azurerm_storage_account.okExample.primary_blob_endpoint}${azurerm_storage_container.okExample.name}/"
  storage_account_access_key      = azurerm_storage_account.okExample.primary_access_key

  recurring_scans {
    enabled                   = true
    email_subscription_admins = true
    emails = [
      "[email protected]",
      "[email protected]"
    ]
  }
}

Did this page help you?