Azure Policy Regulatory Compliance controls for Azure SQL Database & SQL Managed Instance

APPLIES TO: Azure SQL Database Azure SQL Managed Instance

Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure SQL Database and SQL Managed Instance. You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards may change over time.

Australian Government ISM PROTECTED

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Australian Government ISM PROTECTED. For more information about this compliance standard, see Australian Government ISM PROTECTED.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Guidelines for System Management - System patching 940 When to patch security vulnerabilities - 940 SQL databases should have vulnerability findings resolved 4.0.0
Guidelines for System Management - System patching 940 When to patch security vulnerabilities - 940 Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports 2.0.0
Guidelines for System Management - System patching 940 When to patch security vulnerabilities - 940 Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Guidelines for System Management - System patching 940 When to patch security vulnerabilities - 940 Vulnerability assessment should be enabled on your SQL servers 2.0.0
Guidelines for System Management - System patching 1144 When to patch security vulnerabilities - 1144 SQL databases should have vulnerability findings resolved 4.0.0
Guidelines for System Management - System patching 1144 When to patch security vulnerabilities - 1144 Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports 2.0.0
Guidelines for System Management - System patching 1144 When to patch security vulnerabilities - 1144 Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Guidelines for System Management - System patching 1144 When to patch security vulnerabilities - 1144 Vulnerability assessment should be enabled on your SQL servers 2.0.0
Guidelines for Database Systems - Database management system software 1260 Database administrator accounts - 1260 An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Guidelines for Database Systems - Database management system software 1261 Database administrator accounts - 1261 An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Guidelines for Database Systems - Database management system software 1262 Database administrator accounts - 1262 An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Guidelines for Database Systems - Database management system software 1263 Database administrator accounts - 1263 An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Guidelines for Database Systems - Database management system software 1264 Database administrator accounts - 1264 An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Guidelines for Database Systems - Database servers 1425 Protecting database server contents - 1425 Transparent Data Encryption on SQL databases should be enabled 2.0.0
Guidelines for System Management - System patching 1472 When to patch security vulnerabilities - 1472 SQL databases should have vulnerability findings resolved 4.0.0
Guidelines for System Management - System patching 1472 When to patch security vulnerabilities - 1472 Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports 2.0.0
Guidelines for System Management - System patching 1472 When to patch security vulnerabilities - 1472 Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Guidelines for System Management - System patching 1472 When to patch security vulnerabilities - 1472 Vulnerability assessment should be enabled on your SQL servers 2.0.0
Guidelines for System Management - System patching 1494 When to patch security vulnerabilities - 1494 SQL databases should have vulnerability findings resolved 4.0.0
Guidelines for System Management - System patching 1494 When to patch security vulnerabilities - 1494 Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports 2.0.0
Guidelines for System Management - System patching 1494 When to patch security vulnerabilities - 1494 Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Guidelines for System Management - System patching 1494 When to patch security vulnerabilities - 1494 Vulnerability assessment should be enabled on your SQL servers 2.0.0
Guidelines for System Management - System patching 1495 When to patch security vulnerabilities - 1495 SQL databases should have vulnerability findings resolved 4.0.0
Guidelines for System Management - System patching 1495 When to patch security vulnerabilities - 1495 Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports 2.0.0
Guidelines for System Management - System patching 1495 When to patch security vulnerabilities - 1495 Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Guidelines for System Management - System patching 1495 When to patch security vulnerabilities - 1495 Vulnerability assessment should be enabled on your SQL servers 2.0.0
Guidelines for System Management - System patching 1496 When to patch security vulnerabilities - 1496 SQL databases should have vulnerability findings resolved 4.0.0
Guidelines for System Management - System patching 1496 When to patch security vulnerabilities - 1496 Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports 2.0.0
Guidelines for System Management - System patching 1496 When to patch security vulnerabilities - 1496 Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Guidelines for System Management - System patching 1496 When to patch security vulnerabilities - 1496 Vulnerability assessment should be enabled on your SQL servers 2.0.0
Guidelines for System Monitoring - Event logging and auditing 1537 Events to be logged - 1537 Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Guidelines for System Monitoring - Event logging and auditing 1537 Events to be logged - 1537 Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2

Azure Security Benchmark

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Network Security NS-1 Implement security for internal traffic Public network access on Azure SQL Database should be disabled 1.1.0
Network Security NS-2 Connect private networks together Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Network Security NS-3 Establish private network access to Azure services Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Identity Management IM-1 Standardize Azure Active Directory as the central identity and authentication system An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Data Protection DP-1 Discovery, classify and label sensitive data Sensitive data in your SQL databases should be classified 3.0.0-preview
Data Protection DP-2 Protect sensitive data Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Data Protection DP-2 Protect sensitive data Transparent Data Encryption on SQL databases should be enabled 2.0.0
Data Protection DP-3 Monitor for unauthorized transfer of sensitive data Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Data Protection DP-5 Encrypt sensitive data at rest SQL managed instances should use customer-managed keys to encrypt data at rest 1.0.2
Data Protection DP-5 Encrypt sensitive data at rest SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
Data Protection DP-5 Encrypt sensitive data at rest Transparent Data Encryption on SQL databases should be enabled 2.0.0
Logging and Threat Detection LT-1 Enable threat detection for Azure resources Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Logging and Threat Detection LT-2 Enable threat detection for Azure identity and access management Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Logging and Threat Detection LT-4 Enable logging for Azure resources Auditing on SQL server should be enabled 2.0.0
Logging and Threat Detection LT-6 Configure log storage retention SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 3.0.0
Incident Response IR-3 Detection and analysis - create incidents based on high quality alerts Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Incident Response IR-5 Detection and analysis - prioritize incidents Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Posture and Vulnerability Management PV-6 Perform software vulnerability assessments SQL databases should have vulnerability findings resolved 4.0.0
Posture and Vulnerability Management PV-6 Perform software vulnerability assessments Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Posture and Vulnerability Management PV-6 Perform software vulnerability assessments Vulnerability assessment should be enabled on your SQL servers 2.0.0

Azure Security Benchmark v1

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Network Security 1.1 Protect resources using Network Security Groups or Azure Firewall on your Virtual Network SQL Server should use a virtual network service endpoint 1.0.0
Logging and Monitoring 2.3 Enable audit logging for Azure resources Auditing on SQL server should be enabled 2.0.0
Logging and Monitoring 2.3 Enable audit logging for Azure resources SQL Auditing settings should have Action-Groups configured to capture critical activities 1.0.0
Logging and Monitoring 2.5 Configure security log storage retention SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 3.0.0
Logging and Monitoring 2.7 Enable alerts for anomalous activity Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Logging and Monitoring 2.7 Enable alerts for anomalous activity Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Identity and Access Control 3.9 Use Azure Active Directory An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Data Protection 4.1 Maintain an inventory of sensitive Information Sensitive data in your SQL databases should be classified 3.0.0-preview
Data Protection 4.5 Use an active discovery tool to identify sensitive data Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Data Protection 4.5 Use an active discovery tool to identify sensitive data Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Data Protection 4.5 Use an active discovery tool to identify sensitive data Sensitive data in your SQL databases should be classified 3.0.0-preview
Data Protection 4.8 Encrypt sensitive information at rest SQL managed instances should use customer-managed keys to encrypt data at rest 1.0.2
Data Protection 4.8 Encrypt sensitive information at rest SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
Data Protection 4.8 Encrypt sensitive information at rest Transparent Data Encryption on SQL databases should be enabled 2.0.0
Vulnerability Management 5.1 Run automated vulnerability scanning tools Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Vulnerability Management 5.1 Run automated vulnerability scanning tools Vulnerability assessment should be enabled on your SQL servers 2.0.0
Vulnerability Management 5.5 Use a risk-rating process to prioritize the remediation of discovered vulnerabilities SQL databases should have vulnerability findings resolved 4.0.0
Data Recovery 9.1 Ensure regular automated back ups Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Data Recovery 9.2 Perform complete system backups and backup any customer managed keys Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0

Canada Federal PBMM

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Canada Federal PBMM. For more information about this compliance standard, see Canada Federal PBMM.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2(7) Account Management | Role-Based Schemes An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Audit and Accountability AU-5 Response to Audit Processing Failures Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU-5 Response to Audit Processing Failures Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-5 Response to Audit Processing Failures Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU-12 Audit Generation Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU-12 Audit Generation Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-12 Audit Generation Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RA-5 Vulnerability Scanning SQL databases should have vulnerability findings resolved 4.0.0
System and Communications Protection SC-28 Protection of Information at Rest Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Communications Protection SC-28 Protection of Information at Rest Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
System and Communications Protection SC-28 Protection of Information at Rest Transparent Data Encryption on SQL databases should be enabled 2.0.0
System and Information Integrity SI-2 Flaw Remediation SQL databases should have vulnerability findings resolved 4.0.0
System and Information Integrity SI-4 Information System Monitoring Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Information Integrity SI-4 Information System Monitoring Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2

CIS Microsoft Azure Foundations Benchmark 1.1.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.1.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Security Center 2.14 Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled" Auditing on SQL server should be enabled 2.0.0
Security Center 2.15 Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" Transparent Data Encryption on SQL databases should be enabled 2.0.0
Database Services 4.1 Ensure that 'Auditing' is set to 'On' Auditing on SQL server should be enabled 2.0.0
Database Services 4.2 Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly SQL Auditing settings should have Action-Groups configured to capture critical activities 1.0.0
Database Services 4.3 Ensure that 'Auditing' Retention is 'greater than 90 days' SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 3.0.0
Database Services 4.4 Ensure that 'Advanced Data Security' on a SQL server is set to 'On' Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Database Services 4.4 Ensure that 'Advanced Data Security' on a SQL server is set to 'On' Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Database Services 4.8 Ensure that Azure Active Directory Admin is configured An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Database Services 4.9 Ensure that 'Data encryption' is set to 'On' on a SQL Database Transparent Data Encryption on SQL databases should be enabled 2.0.0
Database Services 4.10 Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) SQL managed instances should use customer-managed keys to encrypt data at rest 1.0.2
Database Services 4.10 Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) SQL servers should use customer-managed keys to encrypt data at rest 2.0.1

CIS Microsoft Azure Foundations Benchmark 1.3.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.3.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Database Services 4.1.1 Ensure that 'Auditing' is set to 'On' Auditing on SQL server should be enabled 2.0.0
Database Services 4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database Transparent Data Encryption on SQL databases should be enabled 2.0.0
Database Services 4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days' SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 3.0.0
Database Services 4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled' Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Database Services 4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled' Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Database Services 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Database Services 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account Vulnerability assessment should be enabled on your SQL servers 2.0.0
Database Services 4.2.4 Ensure that VA setting Send scan reports to is configured for a SQL server Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports 2.0.0
Database Services 4.4 Ensure that Azure Active Directory Admin is configured An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Database Services 4.5 Ensure SQL server's TDE protector is encrypted with Customer-managed key SQL managed instances should use customer-managed keys to encrypt data at rest 1.0.2
Database Services 4.5 Ensure SQL server's TDE protector is encrypted with Customer-managed key SQL servers should use customer-managed keys to encrypt data at rest 2.0.1

CMMC Level 3

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CMMC Level 3. For more information about this compliance standard, see Cybersecurity Maturity Model Certification (CMMC).

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Public network access on Azure SQL Database should be disabled 1.1.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Public network access on Azure SQL Database should be disabled 1.1.0
Access Control AC.2.016 Control the flow of CUI in accordance with approved authorizations. Public network access on Azure SQL Database should be disabled 1.1.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU.3.046 Alert in the event of an audit logging process failure. Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU.3.046 Alert in the event of an audit logging process failure. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU.3.046 Alert in the event of an audit logging process failure. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Auditing on SQL server should be enabled 2.0.0
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Vulnerability assessment should be enabled on your SQL servers 2.0.0
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Auditing on SQL server should be enabled 2.0.0
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Vulnerability assessment should be enabled on your SQL servers 2.0.0
Configuration Management CM.2.064 Establish and enforce security configuration settings for information technology products employed in organizational systems. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Configuration Management CM.2.064 Establish and enforce security configuration settings for information technology products employed in organizational systems. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Public network access on Azure SQL Database should be disabled 1.1.0
Incident Response IR.2.092 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports 2.0.0
Recovery RE.2.137 Regularly perform and test data back-ups. Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Recovery RE.3.139 Regularly perform complete, comprehensive and resilient data backups as organizationally-defined. Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports 2.0.0
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Vulnerability assessment should be enabled on your SQL servers 2.0.0
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports 2.0.0
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Vulnerability assessment should be enabled on your SQL servers 2.0.0
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. SQL databases should have vulnerability findings resolved 4.0.0
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports 2.0.0
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Vulnerability assessment should be enabled on your SQL servers 2.0.0
Risk Management RM.3.144 Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria. Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports 2.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Public network access on Azure SQL Database should be disabled 1.1.0
System and Communications Protection SC.3.177 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. SQL managed instances should use customer-managed keys to encrypt data at rest 1.0.2
System and Communications Protection SC.3.177 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
System and Communications Protection SC.3.177 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Transparent Data Encryption on SQL databases should be enabled 2.0.0
System and Communications Protection SC.3.181 Separate user functionality from system management functionality. An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Public network access on Azure SQL Database should be disabled 1.1.0
System and Communications Protection SC.3.191 Protect the confidentiality of CUI at rest. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Communications Protection SC.3.191 Protect the confidentiality of CUI at rest. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
System and Communications Protection SC.3.191 Protect the confidentiality of CUI at rest. Transparent Data Encryption on SQL databases should be enabled 2.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. SQL databases should have vulnerability findings resolved 4.0.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2

FedRAMP High

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP High. For more information about this compliance standard, see FedRAMP High.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (1) Automated System Account Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (7) Role-based Schemes An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Access Control AC-3 Access Enforcement An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-4 Information Flow Enforcement Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Access Control AC-4 Information Flow Enforcement Public network access on Azure SQL Database should be disabled 1.1.0
Access Control AC-17 Remote Access Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Access Control AC-17 (1) Automated Monitoring / Control Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU-6 (4) Central Review and Analysis Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU-11 Audit Record Retention SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 3.0.0
Audit and Accountability AU-12 Audit Generation Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU-12 Audit Generation Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-12 Audit Generation Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Contingency Planning CP-6 Alternate Storage Site Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Contingency Planning CP-6 (1) Separation from Primary Site Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Identification and Authentication IA-4 Identifier Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Incident Response IR-4 Incident Handling Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Incident Response IR-4 Incident Handling Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Incident Response IR-5 Incident Monitoring Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Incident Response IR-5 Incident Monitoring Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RA-5 Vulnerability Scanning SQL databases should have vulnerability findings resolved 4.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Risk Assessment RA-5 Vulnerability Scanning Vulnerability assessment should be enabled on your SQL servers 2.0.0
System and Communications Protection SC-7 Boundary Protection Private endpoint connections on Azure SQL Database should be enabled 1.1.0
System and Communications Protection SC-7 Boundary Protection Public network access on Azure SQL Database should be disabled 1.1.0
System and Communications Protection SC-7 (3) Access Points Private endpoint connections on Azure SQL Database should be enabled 1.1.0
System and Communications Protection SC-7 (3) Access Points Public network access on Azure SQL Database should be disabled 1.1.0
System and Communications Protection SC-12 Cryptographic Key Establishment and Management SQL managed instances should use customer-managed keys to encrypt data at rest 1.0.2
System and Communications Protection SC-12 Cryptographic Key Establishment and Management SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
System and Communications Protection SC-28 Protection of Information at Rest Sensitive data in your SQL databases should be classified 3.0.0-preview
System and Communications Protection SC-28 Protection of Information at Rest Transparent Data Encryption on SQL databases should be enabled 2.0.0
System and Communications Protection SC-28 (1) Cryptographic Protection Sensitive data in your SQL databases should be classified 3.0.0-preview
System and Communications Protection SC-28 (1) Cryptographic Protection Transparent Data Encryption on SQL databases should be enabled 2.0.0
System and Information Integrity SI-2 Flaw Remediation SQL databases should have vulnerability findings resolved 4.0.0
System and Information Integrity SI-4 Information System Monitoring Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Information Integrity SI-4 Information System Monitoring Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2

FedRAMP Moderate

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP Moderate. For more information about this compliance standard, see FedRAMP Moderate.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (1) Automated System Account Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (7) Role-based Schemes An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Access Control AC-3 Access Enforcement An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-4 Information Flow Enforcement Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Access Control AC-4 Information Flow Enforcement Public network access on Azure SQL Database should be disabled 1.1.0
Access Control AC-17 Remote Access Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Access Control AC-17 (1) Automated Monitoring / Control Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU-11 Audit Record Retention SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 3.0.0
Audit and Accountability AU-12 Audit Generation Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU-12 Audit Generation Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-12 Audit Generation Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Contingency Planning CP-6 Alternate Storage Site Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Contingency Planning CP-6 (1) Separation from Primary Site Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Identification and Authentication IA-4 Identifier Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Incident Response IR-4 Incident Handling Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Incident Response IR-4 Incident Handling Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Incident Response IR-5 Incident Monitoring Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Incident Response IR-5 Incident Monitoring Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RA-5 Vulnerability Scanning SQL databases should have vulnerability findings resolved 4.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Risk Assessment RA-5 Vulnerability Scanning Vulnerability assessment should be enabled on your SQL servers 2.0.0
System and Communications Protection SC-7 Boundary Protection Private endpoint connections on Azure SQL Database should be enabled 1.1.0
System and Communications Protection SC-7 Boundary Protection Public network access on Azure SQL Database should be disabled 1.1.0
System and Communications Protection SC-7 (3) Access Points Private endpoint connections on Azure SQL Database should be enabled 1.1.0
System and Communications Protection SC-7 (3) Access Points Public network access on Azure SQL Database should be disabled 1.1.0
System and Communications Protection SC-12 Cryptographic Key Establishment and Management SQL managed instances should use customer-managed keys to encrypt data at rest 1.0.2
System and Communications Protection SC-12 Cryptographic Key Establishment and Management SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
System and Communications Protection SC-28 Protection of Information at Rest Sensitive data in your SQL databases should be classified 3.0.0-preview
System and Communications Protection SC-28 Protection of Information at Rest Transparent Data Encryption on SQL databases should be enabled 2.0.0
System and Communications Protection SC-28 (1) Cryptographic Protection Sensitive data in your SQL databases should be classified 3.0.0-preview
System and Communications Protection SC-28 (1) Cryptographic Protection Transparent Data Encryption on SQL databases should be enabled 2.0.0
System and Information Integrity SI-2 Flaw Remediation SQL databases should have vulnerability findings resolved 4.0.0
System and Information Integrity SI-4 Information System Monitoring Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Information Integrity SI-4 Information System Monitoring Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2

HIPAA HITRUST 9.2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Segregation in Networks 0805.01m1Organizational.12 - 01.m The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains, block unauthorized access, and are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet) including DMZs and enforce access control policies for each of the domains. SQL Server should use a virtual network service endpoint 1.0.0
Segregation in Networks 0806.01m2Organizational.12356 - 01.m The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; and traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. SQL Server should use a virtual network service endpoint 1.0.0
Segregation in Networks 0894.01m2Organizational.7 - 01.m Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers. SQL Server should use a virtual network service endpoint 1.0.0
Audit Logging 1211.09aa3System.4 - 09.aa The organization verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required. Auditing on SQL server should be enabled 2.0.0
Back-up 1616.09l1Organizational.16 - 09.l Backup copies of information and software are made and tests of the media and restoration procedures are regularly performed at appropriate intervals. Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Back-up 1621.09l2Organizational.1 - 09.l Automated tools are used to track all backups. Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Network Controls 0862.09m2Organizational.8 - 09.m The organization ensures information systems protect the confidentiality and integrity of transmitted information, including during preparation for transmission and during reception. SQL Server should use a virtual network service endpoint 1.0.0
Management of Removable Media 0301.09o1Organizational.123 - 09.o The organization, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media be used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized. Transparent Data Encryption on SQL databases should be enabled 2.0.0
Management of Removable Media 0304.09o3Organizational.1 - 09.o The organization restricts the use of writable removable media and personally-owned removable media in organizational systems. SQL managed instances should use customer-managed keys to encrypt data at rest 1.0.2
Management of Removable Media 0304.09o3Organizational.1 - 09.o The organization restricts the use of writable removable media and personally-owned removable media in organizational systems. SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
Control of Technical Vulnerabilities 0709.10m1Organizational.1 - 10.m Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner. SQL databases should have vulnerability findings resolved 4.0.0
Control of Technical Vulnerabilities 0709.10m1Organizational.1 - 10.m Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner. Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Control of Technical Vulnerabilities 0709.10m1Organizational.1 - 10.m Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner. Vulnerability assessment should be enabled on your SQL servers 2.0.0
Control of Technical Vulnerabilities 0710.10m2Organizational.1 - 10.m A hardened configuration standard exists for all system and network components. Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Control of Technical Vulnerabilities 0716.10m3Organizational.1 - 10.m The organization conducts an enterprise security posture review as needed but no less than once within every three-hundred-sixty-five (365) days, in accordance with organizational IS procedures. SQL databases should have vulnerability findings resolved 4.0.0
Control of Technical Vulnerabilities 0719.10m3Organizational.5 - 10.m The organization updates the list of information system vulnerabilities scanned within every thirty (30) days or when new vulnerabilities are identified and reported. Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1

IRS 1075 September 2016

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - IRS 1075 September 2016. For more information about this compliance standard, see IRS 1075 September 2016.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control 9.3.1.2 Account Management (AC-2) An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Awareness and Training 9.3.3.5 Response to Audit Processing Failures (AU-5) Auditing on SQL server should be enabled 2.0.0
Awareness and Training 9.3.3.5 Response to Audit Processing Failures (AU-5) Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Awareness and Training 9.3.3.5 Response to Audit Processing Failures (AU-5) Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Awareness and Training 9.3.3.11 Audit Generation (AU-12) Auditing on SQL server should be enabled 2.0.0
Awareness and Training 9.3.3.11 Audit Generation (AU-12) Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Awareness and Training 9.3.3.11 Audit Generation (AU-12) Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment 9.3.14.3 Vulnerability Scanning (RA-5) Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Risk Assessment 9.3.14.3 Vulnerability Scanning (RA-5) Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment 9.3.14.3 Vulnerability Scanning (RA-5) SQL databases should have vulnerability findings resolved 4.0.0
System and Communications Protection 9.3.16.15 Protection of Information at Rest (SC-28) Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Communications Protection 9.3.16.15 Protection of Information at Rest (SC-28) Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
System and Communications Protection 9.3.16.15 Protection of Information at Rest (SC-28) Transparent Data Encryption on SQL databases should be enabled 2.0.0
System and Information Integrity 9.3.17.2 Flaw Remediation (SI-2) SQL databases should have vulnerability findings resolved 4.0.0
System and Information Integrity 9.3.17.4 Information System Monitoring (SI-4) Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Information Integrity 9.3.17.4 Information System Monitoring (SI-4) Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2

ISO 27001:2013

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - ISO 27001:2013. For more information about this compliance standard, see ISO 27001:2013.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Asset management 8.2.1 Classification of information SQL databases should have vulnerability findings resolved 4.0.0
Access control 9.2.3 Management of privileged access rights An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Cryptography 10.1.1 Policy on the use of cryptographic controls Transparent Data Encryption on SQL databases should be enabled 2.0.0
Cryptography 10.1.1 Policy on the use of cryptographic controls Transparent Data Encryption on SQL databases should be enabled 2.0.0
Operations security 12.4.1 Event Logging Auditing on SQL server should be enabled 2.0.0
Operations security 12.4.1 Event Logging Auditing on SQL server should be enabled 2.0.0
Operations security 12.4.3 Administrator and operator logs Auditing on SQL server should be enabled 2.0.0
Operations security 12.4.3 Administrator and operator logs Auditing on SQL server should be enabled 2.0.0
Operations security 12.4.4 Clock Synchronization Auditing on SQL server should be enabled 2.0.0
Operations security 12.4.4 Clock Synchronization Auditing on SQL server should be enabled 2.0.0
Operations security 12.6.1 Management of technical vulnerabilities SQL databases should have vulnerability findings resolved 4.0.0

New Zealand ISM Restricted

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - New Zealand ISM Restricted. For more information about this compliance standard, see New Zealand ISM Restricted.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Information security monitoring ISM-3 6.2.5 Conducting vulnerability assessments Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Information security monitoring ISM-3 6.2.5 Conducting vulnerability assessments Vulnerability assessment should be enabled on your SQL servers 2.0.0
Information security monitoring ISM-4 6.2.6 Resolving vulnerabilities SQL databases should have vulnerability findings resolved 4.0.0
Information security monitoring ISM-4 6.2.6 Resolving vulnerabilities Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports 2.0.0
Infrastructure INF-9 10.8.35 Security Architecture Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Access Control and Passwords AC-11 16.4.30 Privileged Access Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control and Passwords AC-17 16.6.9 Events to be logged Auditing on SQL server should be enabled 2.0.0
Cryptography CR-3 17.1.46 Reducing storage and physical transfer requirements SQL managed instances should use customer-managed keys to encrypt data at rest 1.0.2
Cryptography CR-3 17.1.46 Reducing storage and physical transfer requirements SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
Cryptography CR-3 17.1.46 Reducing storage and physical transfer requirements Transparent Data Encryption on SQL databases should be enabled 2.0.0
Gateway security GS-2 19.1.11 Using Gateways Public network access on Azure SQL Database should be disabled 1.1.0
Data management DM-6 20.4.4 Database files Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Data management DM-6 20.4.4 Database files Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2

NIST SP 800-171 R2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-171 R2. For more information about this compliance standard, see NIST SP 800-171 R2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Auditing on SQL server should be enabled 2.0.0
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. Auditing on SQL server should be enabled 2.0.0
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability 3.3.4 Alert in the event of an audit logging process failure. Auditing on SQL server should be enabled 2.0.0
Audit and Accountability 3.3.4 Alert in the event of an audit logging process failure. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability 3.3.4 Alert in the event of an audit logging process failure. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Risk Assessment 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. SQL databases should have vulnerability findings resolved 4.0.0
System and Communications Protection 3.13.16 Protect the confidentiality of CUI at rest. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Communications Protection 3.13.16 Protect the confidentiality of CUI at rest. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
System and Communications Protection 3.13.16 Protect the confidentiality of CUI at rest. Transparent Data Encryption on SQL databases should be enabled 2.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. SQL databases should have vulnerability findings resolved 4.0.0
System and Information Integrity 3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Information Integrity 3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2

NIST SP 800-53 Rev. 4

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 4. For more information about this compliance standard, see NIST SP 800-53 Rev. 4.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (1) Automated System Account Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (7) Role-based Schemes An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Access Control AC-3 Access Enforcement An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-4 Information Flow Enforcement Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Access Control AC-4 Information Flow Enforcement Public network access on Azure SQL Database should be disabled 1.1.0
Access Control AC-16 Security Attributes Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Access Control AC-16 Security Attributes Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Access Control AC-17 Remote Access Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Access Control AC-17 (1) Automated Monitoring / Control Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU-6 (4) Central Review and Analysis Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU-11 Audit Record Retention SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 3.0.0
Audit and Accountability AU-12 Audit Generation Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU-12 Audit Generation Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-12 Audit Generation Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Contingency Planning CP-6 Alternate Storage Site Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Contingency Planning CP-6 (1) Separation from Primary Site Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Identification and Authentication IA-4 Identifier Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Incident Response IR-4 Incident Handling Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Incident Response IR-4 Incident Handling Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Incident Response IR-5 Incident Monitoring Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Incident Response IR-5 Incident Monitoring Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RA-5 Vulnerability Scanning SQL databases should have vulnerability findings resolved 4.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Risk Assessment RA-5 Vulnerability Scanning Vulnerability assessment should be enabled on your SQL servers 2.0.0
System and Communications Protection SC-7 Boundary Protection Private endpoint connections on Azure SQL Database should be enabled 1.1.0
System and Communications Protection SC-7 Boundary Protection Public network access on Azure SQL Database should be disabled 1.1.0
System and Communications Protection SC-7 (3) Access Points Private endpoint connections on Azure SQL Database should be enabled 1.1.0
System and Communications Protection SC-7 (3) Access Points Public network access on Azure SQL Database should be disabled 1.1.0
System and Communications Protection SC-12 Cryptographic Key Establishment and Management SQL managed instances should use customer-managed keys to encrypt data at rest 1.0.2
System and Communications Protection SC-12 Cryptographic Key Establishment and Management SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
System and Communications Protection SC-28 Protection of Information at Rest Sensitive data in your SQL databases should be classified 3.0.0-preview
System and Communications Protection SC-28 Protection of Information at Rest Transparent Data Encryption on SQL databases should be enabled 2.0.0
System and Communications Protection SC-28 (1) Cryptographic Protection Sensitive data in your SQL databases should be classified 3.0.0-preview
System and Communications Protection SC-28 (1) Cryptographic Protection Transparent Data Encryption on SQL databases should be enabled 2.0.0
System and Information Integrity SI-2 Flaw Remediation SQL databases should have vulnerability findings resolved 4.0.0
System and Information Integrity SI-4 Information System Monitoring Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Information Integrity SI-4 Information System Monitoring Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2

NIST SP 800-53 Rev. 5

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 5. For more information about this compliance standard, see NIST SP 800-53 Rev. 5.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (1) Automated System Account Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (7) Privileged User Accounts An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (12) Account Monitoring for Atypical Usage Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Access Control AC-3 Access Enforcement An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-4 Information Flow Enforcement Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Access Control AC-4 Information Flow Enforcement Public network access on Azure SQL Database should be disabled 1.1.0
Access Control AC-16 Security and Privacy Attributes Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Access Control AC-16 Security and Privacy Attributes Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Access Control AC-17 Remote Access Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Access Control AC-17 (1) Monitoring and Control Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Audit and Accountability AU-6 Audit Record Review, Analysis, and Reporting Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-6 Audit Record Review, Analysis, and Reporting Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU-6 (4) Central Review and Analysis Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU-11 Audit Record Retention SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 3.0.0
Audit and Accountability AU-12 Audit Record Generation Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU-12 Audit Record Generation Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-12 Audit Record Generation Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Contingency Planning CP-6 Alternate Storage Site Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Contingency Planning CP-6 (1) Separation from Primary Site Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Identification and Authentication IA-4 Identifier Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Incident Response IR-4 Incident Handling Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Incident Response IR-4 Incident Handling Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Incident Response IR-5 Incident Monitoring Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Incident Response IR-5 Incident Monitoring Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RA-5 Vulnerability Monitoring and Scanning Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Risk Assessment RA-5 Vulnerability Monitoring and Scanning Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RA-5 Vulnerability Monitoring and Scanning SQL databases should have vulnerability findings resolved 4.0.0
Risk Assessment RA-5 Vulnerability Monitoring and Scanning Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Risk Assessment RA-5 Vulnerability Monitoring and Scanning Vulnerability assessment should be enabled on your SQL servers 2.0.0
System and Communications Protection SC-7 Boundary Protection Private endpoint connections on Azure SQL Database should be enabled 1.1.0
System and Communications Protection SC-7 Boundary Protection Public network access on Azure SQL Database should be disabled 1.1.0
System and Communications Protection SC-7 (3) Access Points Private endpoint connections on Azure SQL Database should be enabled 1.1.0
System and Communications Protection SC-7 (3) Access Points Public network access on Azure SQL Database should be disabled 1.1.0
System and Communications Protection SC-12 Cryptographic Key Establishment and Management SQL managed instances should use customer-managed keys to encrypt data at rest 1.0.2
System and Communications Protection SC-12 Cryptographic Key Establishment and Management SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
System and Communications Protection SC-28 Protection of Information at Rest Sensitive data in your SQL databases should be classified 3.0.0-preview
System and Communications Protection SC-28 Protection of Information at Rest Transparent Data Encryption on SQL databases should be enabled 2.0.0
System and Communications Protection SC-28 (1) Cryptographic Protection Sensitive data in your SQL databases should be classified 3.0.0-preview
System and Communications Protection SC-28 (1) Cryptographic Protection Transparent Data Encryption on SQL databases should be enabled 2.0.0
System and Information Integrity SI-2 Flaw Remediation SQL databases should have vulnerability findings resolved 4.0.0
System and Information Integrity SI-4 System Monitoring Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Information Integrity SI-4 System Monitoring Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2

UK OFFICIAL and UK NHS

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - UK OFFICIAL and UK NHS. For more information about this compliance standard, see UK OFFICIAL.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Asset protection and resilience 2.3 Data at rest protection Transparent Data Encryption on SQL databases should be enabled 2.0.0
Operational security 5.2 Vulnerability management Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Operational security 5.2 Vulnerability management Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Operational security 5.2 Vulnerability management SQL databases should have vulnerability findings resolved 4.0.0
Operational security 5.2 Vulnerability management Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Operational security 5.2 Vulnerability management Vulnerability assessment should be enabled on your SQL servers 2.0.0
Identity and authentication 10 Identity and authentication An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Audit information for users 13 Audit information for users Auditing on SQL server should be enabled 2.0.0
Audit information for users 13 Audit information for users Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1

Next steps