Azure Policy Regulatory Compliance controls for Azure SQL Database & SQL Managed Instance
Applies to: 
Azure SQL Database
Azure SQL Managed Instance
Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure SQL Database and SQL Managed Instance. You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.
The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.
Important
Each control is associated with one or more Azure Policy definitions. These policies might help you assess compliance with the control. However, there often isn't a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves. This doesn't ensure that you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards can change over time.
Australian Government ISM PROTECTED
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Australian Government ISM PROTECTED. For more information about this compliance standard, see Australian Government ISM PROTECTED.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Guidelines for System Management - System patching | 940 | When to patch security vulnerabilities - 940 | SQL databases should have vulnerability findings resolved | 4.1.0 |
| Guidelines for System Management - System patching | 940 | When to patch security vulnerabilities - 940 | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| Guidelines for System Management - System patching | 940 | When to patch security vulnerabilities - 940 | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
| Guidelines for System Management - System patching | 1144 | When to patch security vulnerabilities - 1144 | SQL databases should have vulnerability findings resolved | 4.1.0 |
| Guidelines for System Management - System patching | 1144 | When to patch security vulnerabilities - 1144 | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| Guidelines for System Management - System patching | 1144 | When to patch security vulnerabilities - 1144 | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
| Guidelines for Database Systems - Database management system software | 1260 | Database administrator accounts - 1260 | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| Guidelines for Database Systems - Database management system software | 1261 | Database administrator accounts - 1261 | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| Guidelines for Database Systems - Database management system software | 1262 | Database administrator accounts - 1262 | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| Guidelines for Database Systems - Database management system software | 1263 | Database administrator accounts - 1263 | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| Guidelines for Database Systems - Database management system software | 1264 | Database administrator accounts - 1264 | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| Guidelines for Database Systems - Database servers | 1425 | Protecting database server contents - 1425 | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 |
| Guidelines for System Management - System patching | 1472 | When to patch security vulnerabilities - 1472 | SQL databases should have vulnerability findings resolved | 4.1.0 |
| Guidelines for System Management - System patching | 1472 | When to patch security vulnerabilities - 1472 | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| Guidelines for System Management - System patching | 1472 | When to patch security vulnerabilities - 1472 | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
| Guidelines for System Management - System patching | 1494 | When to patch security vulnerabilities - 1494 | SQL databases should have vulnerability findings resolved | 4.1.0 |
| Guidelines for System Management - System patching | 1494 | When to patch security vulnerabilities - 1494 | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| Guidelines for System Management - System patching | 1494 | When to patch security vulnerabilities - 1494 | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
| Guidelines for System Management - System patching | 1495 | When to patch security vulnerabilities - 1495 | SQL databases should have vulnerability findings resolved | 4.1.0 |
| Guidelines for System Management - System patching | 1495 | When to patch security vulnerabilities - 1495 | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| Guidelines for System Management - System patching | 1495 | When to patch security vulnerabilities - 1495 | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
| Guidelines for System Management - System patching | 1496 | When to patch security vulnerabilities - 1496 | SQL databases should have vulnerability findings resolved | 4.1.0 |
| Guidelines for System Management - System patching | 1496 | When to patch security vulnerabilities - 1496 | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| Guidelines for System Management - System patching | 1496 | When to patch security vulnerabilities - 1496 | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
| Guidelines for System Monitoring - Event logging and auditing | 1537 | Events to be logged - 1537 | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| Guidelines for System Monitoring - Event logging and auditing | 1537 | Events to be logged - 1537 | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
Canada Federal PBMM
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Canada Federal PBMM. For more information about this compliance standard, see Canada Federal PBMM.
CIS Microsoft Azure Foundations Benchmark 1.1.0
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.1.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| 2 Security Center | 2.14 | Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled" | Auditing on SQL server should be enabled | 2.0.0 |
| 2 Security Center | 2.15 | Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 |
| 4 Database Services | 4.1 | Ensure that 'Auditing' is set to 'On' | Auditing on SQL server should be enabled | 2.0.0 |
| 4 Database Services | 4.10 | Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) | SQL managed instances should use customer-managed keys to encrypt data at rest | 2.0.0 |
| 4 Database Services | 4.10 | Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) | SQL servers should use customer-managed keys to encrypt data at rest | 2.0.1 |
| 4 Database Services | 4.2 | Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly | SQL Auditing settings should have Action-Groups configured to capture critical activities | 1.0.0 |
| 4 Database Services | 4.3 | Ensure that 'Auditing' Retention is 'greater than 90 days' | SQL servers with auditing to storage account destination should be configured with 90 days retention or higher | 3.0.0 |
| 4 Database Services | 4.4 | Ensure that 'Advanced Data Security' on a SQL server is set to 'On' | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| 4 Database Services | 4.4 | Ensure that 'Advanced Data Security' on a SQL server is set to 'On' | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| 4 Database Services | 4.8 | Ensure that Azure Active Directory Admin is configured | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| 4 Database Services | 4.9 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 |
CIS Microsoft Azure Foundations Benchmark 1.3.0
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.3.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| 4 Database Services | 4.1.1 | Ensure that 'Auditing' is set to 'On' | Auditing on SQL server should be enabled | 2.0.0 |
| 4 Database Services | 4.1.2 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 |
| 4 Database Services | 4.1.3 | Ensure that 'Auditing' Retention is 'greater than 90 days' | SQL servers with auditing to storage account destination should be configured with 90 days retention or higher | 3.0.0 |
| 4 Database Services | 4.2.1 | Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled' | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| 4 Database Services | 4.2.1 | Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled' | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| 4 Database Services | 4.2.2 | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| 4 Database Services | 4.2.2 | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
| 4 Database Services | 4.4 | Ensure that Azure Active Directory Admin is configured | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| 4 Database Services | 4.5 | Ensure SQL server's TDE protector is encrypted with Customer-managed key | SQL managed instances should use customer-managed keys to encrypt data at rest | 2.0.0 |
| 4 Database Services | 4.5 | Ensure SQL server's TDE protector is encrypted with Customer-managed key | SQL servers should use customer-managed keys to encrypt data at rest | 2.0.1 |
CIS Microsoft Azure Foundations Benchmark 1.4.0
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for CIS v1.4.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| 4 Database Services | 4.1.1 | Ensure that 'Auditing' is set to 'On' | Auditing on SQL server should be enabled | 2.0.0 |
| 4 Database Services | 4.1.2 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 |
| 4 Database Services | 4.1.3 | Ensure that 'Auditing' Retention is 'greater than 90 days' | SQL servers with auditing to storage account destination should be configured with 90 days retention or higher | 3.0.0 |
| 4 Database Services | 4.2.1 | Ensure that Advanced Threat Protection (ATP) on a SQL Server is Set to 'Enabled' | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| 4 Database Services | 4.2.1 | Ensure that Advanced Threat Protection (ATP) on a SQL Server is Set to 'Enabled' | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| 4 Database Services | 4.2.2 | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| 4 Database Services | 4.2.2 | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
| 4 Database Services | 4.5 | Ensure that Azure Active Directory Admin is configured | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| 4 Database Services | 4.6 | Ensure SQL server's TDE protector is encrypted with Customer-managed key | SQL managed instances should use customer-managed keys to encrypt data at rest | 2.0.0 |
| 4 Database Services | 4.6 | Ensure SQL server's TDE protector is encrypted with Customer-managed key | SQL servers should use customer-managed keys to encrypt data at rest | 2.0.1 |
CIS Microsoft Azure Foundations Benchmark 2.0.0
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for CIS v2.0.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| 4.1 | 4.1.1 | Ensure that 'Auditing' is set to 'On' | Auditing on SQL server should be enabled | 2.0.0 |
| 4.1 | 4.1.2 | Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Public network access on Azure SQL Database should be disabled | 1.1.0 |
| 4.1 | 4.1.3 | Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key | SQL managed instances should use customer-managed keys to encrypt data at rest | 2.0.0 |
| 4.1 | 4.1.3 | Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key | SQL servers should use customer-managed keys to encrypt data at rest | 2.0.1 |
| 4.1 | 4.1.4 | Ensure that Azure Active Directory Admin is Configured for SQL Servers | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| 4.1 | 4.1.5 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 |
| 4.1 | 4.1.6 | Ensure that 'Auditing' Retention is 'greater than 90 days' | SQL servers with auditing to storage account destination should be configured with 90 days retention or higher | 3.0.0 |
| 4.2 | 4.2.1 | Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| 4.2 | 4.2.1 | Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| 4.2 | 4.2.2 | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| 4.2 | 4.2.2 | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
| 4.2 | 4.2.3 | Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| 4.2 | 4.2.4 | Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
| 4.2 | 4.2.5 | Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server | SQL databases should have vulnerability findings resolved | 4.1.0 |
| 4.2 | 4.2.5 | Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
CMMC Level 3
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CMMC Level 3. For more information about this compliance standard, see Cybersecurity Maturity Model Certification (CMMC).
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | AC.1.001 | Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). | Public network access on Azure SQL Database should be disabled | 1.1.0 |
| Access Control | AC.1.002 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. | Public network access on Azure SQL Database should be disabled | 1.1.0 |
| Access Control | AC.2.016 | Control the flow of CUI in accordance with approved authorizations. | Public network access on Azure SQL Database should be disabled | 1.1.0 |
| Audit and Accountability | AU.2.041 | Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. | Auditing on SQL server should be enabled | 2.0.0 |
| Audit and Accountability | AU.2.041 | Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| Audit and Accountability | AU.2.041 | Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| Audit and Accountability | AU.2.042 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | Auditing on SQL server should be enabled | 2.0.0 |
| Audit and Accountability | AU.2.042 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| Audit and Accountability | AU.2.042 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| Audit and Accountability | AU.3.046 | Alert in the event of an audit logging process failure. | Auditing on SQL server should be enabled | 2.0.0 |
| Audit and Accountability | AU.3.046 | Alert in the event of an audit logging process failure. | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| Audit and Accountability | AU.3.046 | Alert in the event of an audit logging process failure. | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| Security Assessment | CA.2.158 | Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. | Auditing on SQL server should be enabled | 2.0.0 |
| Security Assessment | CA.2.158 | Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| Security Assessment | CA.2.158 | Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
| Security Assessment | CA.3.161 | Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. | Auditing on SQL server should be enabled | 2.0.0 |
| Security Assessment | CA.3.161 | Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| Security Assessment | CA.3.161 | Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
| Configuration Management | CM.2.064 | Establish and enforce security configuration settings for information technology products employed in organizational systems. | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| Configuration Management | CM.2.064 | Establish and enforce security configuration settings for information technology products employed in organizational systems. | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| Configuration Management | CM.3.068 | Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. | Public network access on Azure SQL Database should be disabled | 1.1.0 |
| Recovery | RE.2.137 | Regularly perform and test data back-ups. | Long-term geo-redundant backup should be enabled for Azure SQL Databases | 2.0.0 |
| Recovery | RE.3.139 | Regularly perform complete, comprehensive and resilient data backups as organizationally-defined. | Long-term geo-redundant backup should be enabled for Azure SQL Databases | 2.0.0 |
| Risk Assessment | RM.2.141 | Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| Risk Assessment | RM.2.141 | Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| Risk Assessment | RM.2.141 | Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| Risk Assessment | RM.2.141 | Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
| Risk Assessment | RM.2.142 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| Risk Assessment | RM.2.142 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| Risk Assessment | RM.2.142 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| Risk Assessment | RM.2.142 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
| Risk Assessment | RM.2.143 | Remediate vulnerabilities in accordance with risk assessments. | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| Risk Assessment | RM.2.143 | Remediate vulnerabilities in accordance with risk assessments. | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| Risk Assessment | RM.2.143 | Remediate vulnerabilities in accordance with risk assessments. | SQL databases should have vulnerability findings resolved | 4.1.0 |
| Risk Assessment | RM.2.143 | Remediate vulnerabilities in accordance with risk assessments. | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| Risk Assessment | RM.2.143 | Remediate vulnerabilities in accordance with risk assessments. | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
| System and Communications Protection | SC.1.175 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Public network access on Azure SQL Database should be disabled | 1.1.0 |
| System and Communications Protection | SC.3.177 | Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. | SQL managed instances should use customer-managed keys to encrypt data at rest | 2.0.0 |
| System and Communications Protection | SC.3.177 | Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. | SQL servers should use customer-managed keys to encrypt data at rest | 2.0.1 |
| System and Communications Protection | SC.3.177 | Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 |
| System and Communications Protection | SC.3.181 | Separate user functionality from system management functionality. | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| System and Communications Protection | SC.3.183 | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | Public network access on Azure SQL Database should be disabled | 1.1.0 |
| System and Communications Protection | SC.3.191 | Protect the confidentiality of CUI at rest. | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| System and Communications Protection | SC.3.191 | Protect the confidentiality of CUI at rest. | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| System and Communications Protection | SC.3.191 | Protect the confidentiality of CUI at rest. | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 |
| System and Information Integrity | SI.1.210 | Identify, report, and correct information and information system flaws in a timely manner. | SQL databases should have vulnerability findings resolved | 4.1.0 |
| System and Information Integrity | SI.2.216 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| System and Information Integrity | SI.2.216 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| System and Information Integrity | SI.2.217 | Identify unauthorized use of organizational systems. | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| System and Information Integrity | SI.2.217 | Identify unauthorized use of organizational systems. | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
FedRAMP High
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP High. For more information about this compliance standard, see FedRAMP High.
FedRAMP Moderate
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP Moderate. For more information about this compliance standard, see FedRAMP Moderate.
HIPAA HITRUST 9.2
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| 03 Portable Media Security | 0301.09o1Organizational.123-09.o | 0301.09o1Organizational.123-09.o 09.07 Media Handling | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 |
| 03 Portable Media Security | 0304.09o3Organizational.1-09.o | 0304.09o3Organizational.1-09.o 09.07 Media Handling | SQL managed instances should use customer-managed keys to encrypt data at rest | 2.0.0 |
| 03 Portable Media Security | 0304.09o3Organizational.1-09.o | 0304.09o3Organizational.1-09.o 09.07 Media Handling | SQL servers should use customer-managed keys to encrypt data at rest | 2.0.1 |
| 07 Vulnerability Management | 0709.10m1Organizational.1-10.m | 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management | SQL databases should have vulnerability findings resolved | 4.1.0 |
| 07 Vulnerability Management | 0709.10m1Organizational.1-10.m | 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| 07 Vulnerability Management | 0709.10m1Organizational.1-10.m | 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
| 07 Vulnerability Management | 0710.10m2Organizational.1-10.m | 0710.10m2Organizational.1-10.m 10.06 Technical Vulnerability Management | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| 07 Vulnerability Management | 0716.10m3Organizational.1-10.m | 0716.10m3Organizational.1-10.m 10.06 Technical Vulnerability Management | SQL databases should have vulnerability findings resolved | 4.1.0 |
| 07 Vulnerability Management | 0719.10m3Organizational.5-10.m | 0719.10m3Organizational.5-10.m 10.06 Technical Vulnerability Management | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| 08 Network Protection | 0805.01m1Organizational.12-01.m | 0805.01m1Organizational.12-01.m 01.04 Network Access Control | SQL Server should use a virtual network service endpoint | 1.0.0 |
| 08 Network Protection | 0806.01m2Organizational.12356-01.m | 0806.01m2Organizational.12356-01.m 01.04 Network Access Control | SQL Server should use a virtual network service endpoint | 1.0.0 |
| 08 Network Protection | 0862.09m2Organizational.8-09.m | 0862.09m2Organizational.8-09.m 09.06 Network Security Management | SQL Server should use a virtual network service endpoint | 1.0.0 |
| 08 Network Protection | 0894.01m2Organizational.7-01.m | 0894.01m2Organizational.7-01.m 01.04 Network Access Control | SQL Server should use a virtual network service endpoint | 1.0.0 |
| 12 Audit Logging & Monitoring | 1211.09aa3System.4-09.aa | 1211.09aa3System.4-09.aa 09.10 Monitoring | Auditing on SQL server should be enabled | 2.0.0 |
| 16 Business Continuity & Disaster Recovery | 1616.09l1Organizational.16-09.l | 1616.09l1Organizational.16-09.l 09.05 Information Back-Up | Long-term geo-redundant backup should be enabled for Azure SQL Databases | 2.0.0 |
| 16 Business Continuity & Disaster Recovery | 1621.09l2Organizational.1-09.l | 1621.09l2Organizational.1-09.l 09.05 Information Back-Up | Long-term geo-redundant backup should be enabled for Azure SQL Databases | 2.0.0 |
IRS 1075 September 2016
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - IRS 1075 September 2016. For more information about this compliance standard, see IRS 1075 September 2016.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | 9.3.1.2 | Account Management (AC-2) | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| Risk Assessment | 9.3.14.3 | Vulnerability Scanning (RA-5) | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| Risk Assessment | 9.3.14.3 | Vulnerability Scanning (RA-5) | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| Risk Assessment | 9.3.14.3 | Vulnerability Scanning (RA-5) | SQL databases should have vulnerability findings resolved | 4.1.0 |
| System and Communications Protection | 9.3.16.15 | Protection of Information at Rest (SC-28) | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| System and Communications Protection | 9.3.16.15 | Protection of Information at Rest (SC-28) | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| System and Communications Protection | 9.3.16.15 | Protection of Information at Rest (SC-28) | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 |
| System and Information Integrity | 9.3.17.2 | Flaw Remediation (SI-2) | SQL databases should have vulnerability findings resolved | 4.1.0 |
| System and Information Integrity | 9.3.17.4 | Information System Monitoring (SI-4) | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| System and Information Integrity | 9.3.17.4 | Information System Monitoring (SI-4) | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| Awareness and Training | 9.3.3.11 | Audit Generation (AU-12) | Auditing on SQL server should be enabled | 2.0.0 |
| Awareness and Training | 9.3.3.11 | Audit Generation (AU-12) | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| Awareness and Training | 9.3.3.11 | Audit Generation (AU-12) | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| Awareness and Training | 9.3.3.5 | Response to Audit Processing Failures (AU-5) | Auditing on SQL server should be enabled | 2.0.0 |
| Awareness and Training | 9.3.3.5 | Response to Audit Processing Failures (AU-5) | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| Awareness and Training | 9.3.3.5 | Response to Audit Processing Failures (AU-5) | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
ISO 27001:2013
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - ISO 27001:2013. For more information about this compliance standard, see ISO 27001:2013.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Cryptography | 10.1.1 | Policy on the use of cryptographic controls | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 |
| Operations Security | 12.4.1 | Event Logging | Auditing on SQL server should be enabled | 2.0.0 |
| Operations Security | 12.4.3 | Administrator and operator logs | Auditing on SQL server should be enabled | 2.0.0 |
| Operations Security | 12.4.4 | Clock Synchronization | Auditing on SQL server should be enabled | 2.0.0 |
| Operations Security | 12.6.1 | Management of technical vulnerabilities | SQL databases should have vulnerability findings resolved | 4.1.0 |
| Asset Management | 8.2.1 | Classification of information | SQL databases should have vulnerability findings resolved | 4.1.0 |
| Access Control | 9.2.3 | Management of privileged access rights | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
Microsoft Cloud for Sovereignty Baseline Confidential Policies
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for MCfS Sovereignty Baseline Confidential Policies. For more information about this compliance standard, see Microsoft Cloud for Sovereignty Policy portfolio.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| SO.3 - Customer-Managed Keys | SO.3 | Azure products must be configured to use Customer-Managed Keys when possible. | SQL managed instances should use customer-managed keys to encrypt data at rest | 2.0.0 |
| SO.3 - Customer-Managed Keys | SO.3 | Azure products must be configured to use Customer-Managed Keys when possible. | SQL servers should use customer-managed keys to encrypt data at rest | 2.0.1 |
Microsoft cloud security benchmark
The Microsoft cloud security benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Microsoft cloud security benchmark, see the Azure Security Benchmark mapping files.
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Microsoft cloud security benchmark.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Network Security | NS-2 | Secure cloud services with network controls | Azure SQL Managed Instances should disable public network access | 1.0.0 |
| Network Security | NS-2 | Secure cloud services with network controls | Private endpoint connections on Azure SQL Database should be enabled | 1.1.0 |
| Network Security | NS-2 | Secure cloud services with network controls | Public network access on Azure SQL Database should be disabled | 1.1.0 |
| Identity Management | IM-1 | Use centralized identity and authentication system | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| Identity Management | IM-1 | Use centralized identity and authentication system | Azure SQL Database should have Microsoft Entra-only authentication enabled | 1.0.0 |
| Identity Management | IM-1 | Use centralized identity and authentication system | Azure SQL Database should have Microsoft Entra-only authentication enabled during creation | 1.2.0 |
| Identity Management | IM-1 | Use centralized identity and authentication system | Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled | 1.0.0 |
| Identity Management | IM-1 | Use centralized identity and authentication system | Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation | 1.2.0 |
| Identity Management | IM-4 | Authenticate server and services | Azure SQL Database should be running TLS version 1.2 or newer | 2.0.0 |
| Data Protection | DP-2 | Monitor anomalies and threats targeting sensitive data | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| Data Protection | DP-3 | Encrypt sensitive data in transit | Azure SQL Database should be running TLS version 1.2 or newer | 2.0.0 |
| Data Protection | DP-4 | Enable data at rest encryption by default | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 |
| Data Protection | DP-5 | Use customer-managed key option in data at rest encryption when required | SQL managed instances should use customer-managed keys to encrypt data at rest | 2.0.0 |
| Data Protection | DP-5 | Use customer-managed key option in data at rest encryption when required | SQL servers should use customer-managed keys to encrypt data at rest | 2.0.1 |
| Logging and Threat Detection | LT-1 | Enable threat detection capabilities | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| Logging and Threat Detection | LT-1 | Enable threat detection capabilities | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| Logging and Threat Detection | LT-2 | Enable threat detection for identity and access management | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| Logging and Threat Detection | LT-2 | Enable threat detection for identity and access management | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| Logging and Threat Detection | LT-3 | Enable logging for security investigation | Auditing on SQL server should be enabled | 2.0.0 |
| Logging and Threat Detection | LT-6 | Configure log storage retention | SQL servers with auditing to storage account destination should be configured with 90 days retention or higher | 3.0.0 |
| Incident Response | IR-3 | Detection and analysis - create incidents based on high-quality alerts | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| Incident Response | IR-3 | Detection and analysis - create incidents based on high-quality alerts | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| Posture and Vulnerability Management | PV-5 | Perform vulnerability assessments | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| Posture and Vulnerability Management | PV-5 | Perform vulnerability assessments | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
| Posture and Vulnerability Management | PV-6 | Rapidly and automatically remediate vulnerabilities | SQL databases should have vulnerability findings resolved | 4.1.0 |
| Incident Response | AIR-5 | Detection and analysis - prioritize incidents | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| Incident Response | AIR-5 | Detection and analysis - prioritize incidents | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
NIST SP 800-171 R2
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-171 R2. For more information about this compliance standard, see NIST SP 800-171 R2.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Private endpoint connections on Azure SQL Database should be enabled | 1.1.0 |
| Access Control | 3.1.12 | Monitor and control remote access sessions. | Private endpoint connections on Azure SQL Database should be enabled | 1.1.0 |
| Access Control | 3.1.13 | Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. | Private endpoint connections on Azure SQL Database should be enabled | 1.1.0 |
| Access Control | 3.1.14 | Route remote access via managed access control points. | Private endpoint connections on Azure SQL Database should be enabled | 1.1.0 |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| Access Control | 3.1.3 | Control the flow of CUI in accordance with approved authorizations. | Private endpoint connections on Azure SQL Database should be enabled | 1.1.0 |
| Access Control | 3.1.3 | Control the flow of CUI in accordance with approved authorizations. | Public network access on Azure SQL Database should be disabled | 1.1.0 |
| Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | SQL databases should have vulnerability findings resolved | 4.1.0 |
| Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
| Risk Assessment | 3.11.3 | Remediate vulnerabilities in accordance with risk assessments. | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| Risk Assessment | 3.11.3 | Remediate vulnerabilities in accordance with risk assessments. | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| Risk Assessment | 3.11.3 | Remediate vulnerabilities in accordance with risk assessments. | SQL databases should have vulnerability findings resolved | 4.1.0 |
| Risk Assessment | 3.11.3 | Remediate vulnerabilities in accordance with risk assessments. | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| Risk Assessment | 3.11.3 | Remediate vulnerabilities in accordance with risk assessments. | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
| System and Communications Protection | 3.13.1 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Private endpoint connections on Azure SQL Database should be enabled | 1.1.0 |
| System and Communications Protection | 3.13.1 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Public network access on Azure SQL Database should be disabled | 1.1.0 |
| System and Communications Protection | 3.13.10 | Establish and manage cryptographic keys for cryptography employed in organizational systems. | SQL managed instances should use customer-managed keys to encrypt data at rest | 2.0.0 |
| System and Communications Protection | 3.13.10 | Establish and manage cryptographic keys for cryptography employed in organizational systems. | SQL servers should use customer-managed keys to encrypt data at rest | 2.0.1 |
| System and Communications Protection | 3.13.16 | Protect the confidentiality of CUI at rest. | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 |
| System and Communications Protection | 3.13.2 | Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. | Private endpoint connections on Azure SQL Database should be enabled | 1.1.0 |
| System and Communications Protection | 3.13.2 | Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. | Public network access on Azure SQL Database should be disabled | 1.1.0 |
| System and Communications Protection | 3.13.5 | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | Private endpoint connections on Azure SQL Database should be enabled | 1.1.0 |
| System and Communications Protection | 3.13.5 | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | Public network access on Azure SQL Database should be disabled | 1.1.0 |
| System and Communications Protection | 3.13.6 | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | Public network access on Azure SQL Database should be disabled | 1.1.0 |
| System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | SQL databases should have vulnerability findings resolved | 4.1.0 |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| System and Information Integrity | 3.14.7 | Identify unauthorized use of organizational systems. | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| System and Information Integrity | 3.14.7 | Identify unauthorized use of organizational systems. | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Auditing on SQL server should be enabled | 2.0.0 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| Audit and Accountability | 3.3.1 | Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity | SQL servers with auditing to storage account destination should be configured with 90 days retention or higher | 3.0.0 |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | Auditing on SQL server should be enabled | 2.0.0 |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. | SQL servers with auditing to storage account destination should be configured with 90 days retention or higher | 3.0.0 |
| Audit and Accountability | 3.3.4 | Alert in the event of an audit logging process failure. | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| Audit and Accountability | 3.3.4 | Alert in the event of an audit logging process failure. | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| Audit and Accountability | 3.3.5 | Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| Audit and Accountability | 3.3.5 | Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| Identification and Authentication | 3.5.1 | Identify system users, processes acting on behalf of users, and devices. | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| Identification and Authentication | 3.5.5 | Prevent reuse of identifiers for a defined period. | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| Identification and Authentication | 3.5.6 | Disable identifiers after a defined period of inactivity. | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
NIST SP 800-53 Rev. 4
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 4. For more information about this compliance standard, see NIST SP 800-53 Rev. 4.
NIST SP 800-53 Rev. 5
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 5. For more information about this compliance standard, see NIST SP 800-53 Rev. 5.
NL BIO Cloud Theme
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for NL BIO Cloud Theme. For more information about this compliance standard, see Baseline Information Security Government Cybersecurity - Digital Government (digitaleoverheid.nl).
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| C.04.3 Technical vulnerability management - Timelines | C.04.3 | If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. | SQL databases should have vulnerability findings resolved | 4.1.0 |
| C.04.6 Technical vulnerability management - Timelines | C.04.6 | Technical weaknesses can be remedied by performing patch management in a timely manner. | SQL databases should have vulnerability findings resolved | 4.1.0 |
| C.04.7 Technical vulnerability management - Evaluated | C.04.7 | Evaluations of technical vulnerabilities are recorded and reported. | SQL databases should have vulnerability findings resolved | 4.1.0 |
| C.04.8 Technical vulnerability management - Evaluated | C.04.8 | The evaluation reports contain suggestions for improvement and are communicated with managers/owners. | SQL databases should have vulnerability findings resolved | 4.1.0 |
| U.05.1 Data protection - Cryptographic measures | U.05.1 | Data transport is secured with cryptography where key management is carried out by the CSC itself if possible. | Azure SQL Database should be running TLS version 1.2 or newer | 2.0.0 |
| U.05.2 Data protection - Cryptographic measures | U.05.2 | Data stored in the cloud service shall be protected to the latest state of the art. | SQL managed instances should use customer-managed keys to encrypt data at rest | 2.0.0 |
| U.05.2 Data protection - Cryptographic measures | U.05.2 | Data stored in the cloud service shall be protected to the latest state of the art. | SQL servers should use customer-managed keys to encrypt data at rest | 2.0.1 |
| U.05.2 Data protection - Cryptographic measures | U.05.2 | Data stored in the cloud service shall be protected to the latest state of the art. | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 |
| U.07.1 Data separation - Isolated | U.07.1 | Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. | Azure SQL Managed Instances should disable public network access | 1.0.0 |
| U.07.1 Data separation - Isolated | U.07.1 | Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. | Private endpoint connections on Azure SQL Database should be enabled | 1.1.0 |
| U.07.1 Data separation - Isolated | U.07.1 | Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. | Public network access on Azure SQL Database should be disabled | 1.1.0 |
| U.07.3 Data separation - Management features | U.07.3 | U.07.3 - The privileges to view or modify CSC data and/or encryption keys are granted in a controlled manner and use is logged. | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| U.07.3 Data separation - Management features | U.07.3 | U.07.3 - The privileges to view or modify CSC data and/or encryption keys are granted in a controlled manner and use is logged. | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 |
| U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 | The malware protection runs on different environments. | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 | The malware protection runs on different environments. | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 | The malware protection runs on different environments. | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| U.09.3 Malware Protection - Detection, prevention and recovery | U.09.3 | The malware protection runs on different environments. | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
| U.10.2 Access to IT services and data - Users | U.10.2 | Under the responsibility of the CSP, access is granted to administrators. | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| U.10.3 Access to IT services and data - Users | U.10.3 | Only users with authenticated equipment can access IT services and data. | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| U.10.3 Access to IT services and data - Users | U.10.3 | Only users with authenticated equipment can access IT services and data. | SQL servers with auditing to storage account destination should be configured with 90 days retention or higher | 3.0.0 |
| U.10.5 Access to IT services and data - Competent | U.10.5 | Access to IT services and data is limited by technical measures and has been implemented. | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| U.11.1 Cryptoservices - Policy | U.11.1 | In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 |
| U.11.2 Cryptoservices - Cryptographic measures | U.11.2 | In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 |
| U.11.3 Cryptoservices - Encrypted | U.11.3 | Sensitive data is always encrypted, with private keys managed by the CSC. | SQL managed instances should use customer-managed keys to encrypt data at rest | 2.0.0 |
| U.11.3 Cryptoservices - Encrypted | U.11.3 | Sensitive data is always encrypted, with private keys managed by the CSC. | SQL servers should use customer-managed keys to encrypt data at rest | 2.0.1 |
| U.11.3 Cryptoservices - Encrypted | U.11.3 | Sensitive data is always encrypted, with private keys managed by the CSC. | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | Auditing on SQL server should be enabled | 2.0.0 |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 |
| U.15.1 Logging and monitoring - Events logged | U.15.1 | The violation of the policy rules is recorded by the CSP and the CSC. | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 |
| U.15.3 Logging and monitoring - Events logged | U.15.3 | CSP maintains a list of all assets that are critical in terms of logging and monitoring and reviews this list. | Auditing on SQL server should be enabled | 2.0.0 |
PCI DSS 3.2.1
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see PCI DSS 3.2.1. For more information about this compliance standard, see PCI DSS 3.2.1.
PCI DSS v4.0
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for PCI DSS v4.0. For more information about this compliance standard, see PCI DSS v4.0.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.2.2 | Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events | Auditing on SQL server should be enabled | 2.0.0 |
| Requirement 10: Log and Monitor All Access to System Components and Cardholder Data | 10.3.3 | Audit logs are protected from destruction and unauthorized modifications | Auditing on SQL server should be enabled | 2.0.0 |
| Requirement 11: Test Security of Systems and Networks Regularly | 11.3.1 | External and internal vulnerabilities are regularly identified, prioritized, and addressed | SQL databases should have vulnerability findings resolved | 4.1.0 |
| Requirement 03: Protect Stored Account Data | 3.3.3 | Sensitive authentication data (SAD) is not stored after authorization | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| Requirement 03: Protect Stored Account Data | 3.5.1 | Primary account number (PAN) is secured wherever it is stored | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.1 | Malicious software (malware) is prevented, or detected and addressed | SQL databases should have vulnerability findings resolved | 4.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.2 | Malicious software (malware) is prevented, or detected and addressed | SQL databases should have vulnerability findings resolved | 4.1.0 |
| Requirement 05: Protect All Systems and Networks from Malicious Software | 5.2.3 | Malicious software (malware) is prevented, or detected and addressed | SQL databases should have vulnerability findings resolved | 4.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.2.4 | Bespoke and custom software are developed securely | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.3.3 | Security vulnerabilities are identified and addressed | SQL databases should have vulnerability findings resolved | 4.1.0 |
| Requirement 06: Develop and Maintain Secure Systems and Software | 6.4.1 | Public-facing web applications are protected against attacks | SQL databases should have vulnerability findings resolved | 4.1.0 |
| Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know | 7.3.1 | Access to system components and data is managed via an access control system(s) | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| Requirement 08: Identify Users and Authenticate Access to System Components | 8.4.1 | Multi-factor authentication (MFA) is implemented to secure access into the CDE | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
Reserve Bank of India - IT Framework for NBFC
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Reserve Bank of India - IT Framework for NBFC. For more information about this compliance standard, see Reserve Bank of India - IT Framework for NBFC.
Reserve Bank of India IT Framework for Banks v2016
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - RBI ITF Banks v2016. For more information about this compliance standard, see RBI ITF Banks v2016 (PDF).
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| User Access Control / Management | User Access Control / Management-8.2 | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 | |
| Network Management And Security | Security Operation Centre-4.9 | Azure Defender for SQL should be enabled for unprotected Azure SQL servers | 2.0.1 | |
| Network Management And Security | Security Operation Centre-4.9 | Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | 1.0.2 | |
| Patch/Vulnerability & Change Management | Patch/Vulnerability & Change Management-7.7 | Private endpoint connections on Azure SQL Database should be enabled | 1.1.0 | |
| Patch/Vulnerability & Change Management | Patch/Vulnerability & Change Management-7.7 | Public network access on Azure SQL Database should be disabled | 1.1.0 | |
| Preventing Execution Of Unauthorised Software | Security Update Management-2.3 | SQL databases should have vulnerability findings resolved | 4.1.0 | |
| Metrics | Metrics-21.1 | SQL managed instances should use customer-managed keys to encrypt data at rest | 2.0.0 | |
| Metrics | Metrics-21.1 | SQL servers should use customer-managed keys to encrypt data at rest | 2.0.1 | |
| Advanced Real-Timethreat Defenceand Management | Advanced Real-Timethreat Defenceand Management-13.4 | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 | |
| Patch/Vulnerability & Change Management | Patch/Vulnerability & Change Management-7.1 | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 | |
| Patch/Vulnerability & Change Management | Patch/Vulnerability & Change Management-7.1 | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
RMIT Malaysia
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - RMIT Malaysia. For more information about this compliance standard, see RMIT Malaysia.
SWIFT CSP-CSCF v2021
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for SWIFT CSP-CSCF v2021. For more information about this compliance standard, see SWIFT CSP CSCF v2021.
| Domain | Control ID | Control title | Policy (Azure portal) |
Policy version (GitHub) |
|---|---|---|---|---|
| SWIFT Environment Protection | 1.1 | SWIFT Environment Protection | Private endpoint connections on Azure SQL Database should be enabled | 1.1.0 |
| SWIFT Environment Protection | 1.1 | SWIFT Environment Protection | SQL Server should use a virtual network service endpoint | 1.0.0 |
| SWIFT Environment Protection | 1.2 | Operating System Privileged Account Control | An Azure Active Directory administrator should be provisioned for SQL servers | 1.0.0 |
| Reduce Attack Surface and Vulnerabilities | 2.1 | Internal Data Flow Security | Azure SQL Database should be running TLS version 1.2 or newer | 2.0.0 |
| Reduce Attack Surface and Vulnerabilities | 2.1 | Internal Data Flow Security | SQL Managed Instance should have the minimal TLS version of 1.2 | 1.0.1 |
| Reduce Attack Surface and Vulnerabilities | 2.5A | External Transmission Data Protection | Long-term geo-redundant backup should be enabled for Azure SQL Databases | 2.0.0 |
| Reduce Attack Surface and Vulnerabilities | 2.5A | External Transmission Data Protection | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 |
| Reduce Attack Surface and Vulnerabilities | 2.6 | Operator Session Confidentiality and Integrity | Azure SQL Database should be running TLS version 1.2 or newer | 2.0.0 |
| Reduce Attack Surface and Vulnerabilities | 2.6 | Operator Session Confidentiality and Integrity | SQL Managed Instance should have the minimal TLS version of 1.2 | 1.0.1 |
| Reduce Attack Surface and Vulnerabilities | 2.7 | Vulnerability Scanning | SQL databases should have vulnerability findings resolved | 4.1.0 |
| Reduce Attack Surface and Vulnerabilities | 2.7 | Vulnerability Scanning | Vulnerability assessment should be enabled on SQL Managed Instance | 1.0.1 |
| Reduce Attack Surface and Vulnerabilities | 2.7 | Vulnerability Scanning | Vulnerability assessment should be enabled on your SQL servers | 3.0.0 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.3 | Database Integrity | Auditing on SQL server should be enabled | 2.0.0 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.3 | Database Integrity | Public network access on Azure SQL Database should be disabled | 1.1.0 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.3 | Database Integrity | SQL servers with auditing to storage account destination should be configured with 90 days retention or higher | 3.0.0 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.3 | Database Integrity | Transparent Data Encryption on SQL databases should be enabled | 2.0.0 |
| Detect Anomalous Activity to Systems or Transaction Records | 6.4 | Logging and Monitoring | Auditing on SQL server should be enabled | 2.0.0 |
UK OFFICIAL and UK NHS
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - UK OFFICIAL and UK NHS. For more information about this compliance standard, see UK OFFICIAL.
Next steps
- Learn more about Azure Policy Regulatory Compliance.
- See the built-ins on the Azure Policy GitHub repo.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for