Azure SQL 数据库和 SQL 托管实例的 Azure Policy 内置定义Azure Policy built-in definitions for Azure SQL Database & SQL Managed Instance

适用于: Azure SQL 数据库 Azure SQL 托管实例 Azure Synapse Analytics

此页是 Azure SQL 数据库和 SQL 托管实例的 Azure Policy 内置策略定义的索引。This page is an index of Azure Policy built-in policy definitions for Azure SQL Database and SQL Managed Instance. 有关其他服务的其他 Azure Policy 内置定义,请参阅 Azure Policy 内置定义For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

每个内置策略定义链接(指向 Azure 门户中的策略定义)的名称。The name of each built-in policy definition links to the policy definition in the Azure portal. 使用“版本”列中的链接查看 Azure Policy GitHub 存储库上的源。Use the link in the Version column to view the source on the Azure Policy GitHub repo.

Azure SQL 数据库和 SQL 托管实例Azure SQL Database & SQL Managed Instance

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
应在 SQL 托管实例上启用高级数据安全Advanced data security should be enabled on SQL Managed Instance 审核所有未启用高级数据安全的 SQL 托管实例。Audit each SQL Managed Instance without advanced data security. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 审核没有高级数据安全的 SQL 服务器Audit SQL servers without Advanced Data Security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0
应该为 SQL 服务器预配 Azure Active Directory 管理员An Azure Active Directory administrator should be provisioned for SQL servers 审核确认已为 SQL Server 预配了 Azure Active Directory 管理员以启用 Azure AD 身份验证。Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. 使用 Azure AD 身份验证可以简化权限管理,以及集中化数据库用户和其他 Microsoft 服务的标识管理Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应启用 SQL 服务器上的审核Auditing on SQL server should be enabled 应在 SQL 服务器上启用审核以跟踪服务器上所有数据库的数据库活动,并将其保存在审核日志中。Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
Azure SQL 数据库的最低 TLS 版本应为 1.2Azure SQL Database should have the minimal TLS version of 1.2 将最低 TLS 版本设置为 1.2 可以确保只能从使用 TLS 1.2 的客户端访问 Azure SQL 数据库,从而提高安全性。Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. 不建议使用低于 1.2 的 TLS 版本,因为它们存在有据可查的安全漏洞。Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities. Audit、DisabledAudit, Disabled 1.0.01.0.0
在 SQL 服务器上部署高级数据安全Deploy Advanced Data Security on SQL servers 此策略在 SQL 服务器上启用高级数据安全性。This policy enables Advanced Data Security on SQL Servers. 这包括启用威胁检测和漏洞评估。This includes turning on Threat Detection and Vulnerability Assessment. 它自动在 SQL 服务器所在的同一区域和资源组中,创建一个带有“sqlva”前缀存储帐户用于存储扫描结果。It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix. DeployIfNotExistsDeployIfNotExists 1.0.01.0.0
对 SQL 服务器部署审核Deploy Auditing on SQL servers 此策略确保在 SQL 服务器上启用审核,以增强安全性与合规性。This policy ensures that Auditing is enabled on SQL Servers for enhanced security and compliance. 它自动在 SQL 服务器所在的同一区域中创建一个存储帐户用于存储审核记录。It will automatically create a storage account in the same region as the SQL server to store audit records. DeployIfNotExistsDeployIfNotExists 1.0.01.0.0
将 Azure SQL 数据库的诊断设置部署到事件中心Deploy Diagnostic Settings for Azure SQL Database to Event Hub 在创建或更新缺少 Azure SQL 数据库的诊断设置的 Azure SQL 数据库时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is created or updated. DeployIfNotExistsDeployIfNotExists 1.1.01.1.0
部署 SQL DB 透明数据加密Deploy SQL DB transparent data encryption 在 SQL 数据库上启用透明数据加密Enables transparent data encryption on SQL databases DeployIfNotExistsDeployIfNotExists 1.0.01.0.0
在 SQL 服务器上部署威胁检测Deploy Threat Detection on SQL servers 此策略可确保在 SQL 服务器上启用威胁检测。This policy ensures that Threat Detection is enabled on SQL Servers. DeployIfNotExistsDeployIfNotExists 1.0.01.0.0
应为 Azure SQL 数据库启用长期异地冗余备份Long-term geo-redundant backup should be enabled for Azure SQL Databases 此策略将审核未启用长期异地冗余备份的任何 Azure SQL 数据库。This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应启用 Azure SQL 数据库上的专用终结点连接Private endpoint connections on Azure SQL Database should be enabled 专用终结点连接通过启用到 Azure SQL 数据库的专用连接来加强安全通信。Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. 审核audit 1.0.01.0.0
应禁用 Azure SQL 数据库上的公用网络访问Public network access on Azure SQL Database should be disabled 禁用公用网络访问属性可确保只能从专用终结点访问 Azure SQL 数据库,从而提高安全性。Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. 此配置拒绝所有符合基于 IP 或虚拟网络的防火墙规则的登录。This configuration denies all logins that match IP or virtual network based firewall rules. 审核audit 1.0.01.0.0
应对 SQL 数据库中的敏感数据进行分类Sensitive data in your SQL databases should be classified Azure 安全中心监视 SQL 数据库的数据发现和分类扫描结果,并建议将数据库中的敏感数据分类以改善监视效果并提升安全性Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.0-preview2.0.0-preview
SQL 审核设置中应包含配置为捕获关键活动的操作组SQL Auditing settings should have Action-Groups configured to capture critical activities AuditActionsAndGroups 属性应至少包含 SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP FAILED_DATABASE_AUTHENTICATION_GROUP、BATCH_COMPLETED_GROUP 以确保全面审核日志记录The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough audit logging AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
SQL 数据库应避免使用 GRS 备份冗余SQL Database should avoid using GRS backup redundancy 如果数据驻留规则要求数据驻留在特定区域内,那么数据库应避免使用 GRS 存储进行备份。Databases should avoid using GRS storage for backups if data residency rules require data to stay within a specific region. 拒绝、已禁用Deny, Disabled 1.0.01.0.0
SQL 托管实例的最低 TLS 版本应为 1.2SQL Managed Instance should have the minimal TLS version of 1.2 将最低 TLS 版本设置为 1.2 可以确保只能从使用 TLS 1.2 的客户端访问 SQL 托管实例,从而提高安全性。Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. 不建议使用低于 1.2 的 TLS 版本,因为它们存在有据可查的安全漏洞。Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities. Audit、DisabledAudit, Disabled 1.0.01.0.0
应使用自己的密钥加密 SQL 托管实例的 TDE 保护程序SQL Managed Instance TDE protector should be encrypted with your own key 使用你自己的密钥支持的透明数据加密(TDE)增加了透明度和对 TDE 保护器的控制,增强了由 HSM 提供支持的外部服务的安全性,并促进了职责划分。Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
SQL 托管实例应避免使用 GRS 备份冗余SQL Managed Instances should avoid using GRS backup redundancy 如果数据驻留规则要求数据驻留在特定区域内,那么托管实例应避免使用 GRS 存储进行备份。Managed Instances should avoid using GRS storage for backups if data residency rules require data to stay within a specific region. 拒绝、已禁用Deny, Disabled 1.0.01.0.0
SQL Server 应使用虚拟网络服务终结点SQL Server should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的 SQL Server。This policy audits any SQL Server not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应使用自己的密钥加密 SQL 服务器的 TDE 保护器SQL server TDE protector should be encrypted with your own key 使用你自己的密钥支持的透明数据加密(TDE)增加了透明度和对 TDE 保护器的控制,增强了由 HSM 提供支持的外部服务的安全性,并促进了职责划分。Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应将 SQL 服务器的审核保留期配置为大于 90 天SQL servers should be configured with auditing retention days greater than 90 days. 审核配置的审核保持期少于 90 天的 SQL 服务器。Audit SQL servers configured with an auditing retention period of less than 90 days. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 SQL 数据库上启用透明数据加密Transparent Data Encryption on SQL databases should be enabled 应启用透明数据加密以保护静态数据并满足符合性要求Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应启用 Azure SQL 数据库上的虚拟网络防火墙规则,以允许来自指定子网的流量Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet 基于虚拟网络的防火墙规则用于支持从特定子网到 Azure SQL 数据库的流量,同时确保流量停留在 Azure 边界内。Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure SQL Database while ensuring the traffic stays within the Azure boundary. AuditIfNotExistsAuditIfNotExists 1.0.01.0.0
应修复 SQL 数据库中的漏洞Vulnerabilities on your SQL databases should be remediated 监视漏洞评估扫描结果并提供如何补救数据库漏洞的相关建议。Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
SQL 服务器的漏洞评估设置应包含用来接收扫描报告的电子邮件地址Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports 确保为漏洞评估设置中的“将扫描报告发送到”字段提供电子邮件地址。Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. 在 SQL 服务器上运行定期扫描后,此电子邮件地址将收到扫描结果摘要。This email address receives scan result summary after a periodic scan runs on SQL servers. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0
应在 SQL 托管实例上启用漏洞评估Vulnerability assessment should be enabled on SQL Managed Instance 审核未启用定期漏洞评估扫描的每个 SQL 托管实例。Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. 漏洞评估可发现、跟踪和帮助你修正潜在数据库漏洞。Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.11.0.1
应对 SQL 服务器启用漏洞评估Vulnerability assessment should be enabled on your SQL servers 审核未启用定期漏洞评估扫描的 Azure SQL 服务器。Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. 漏洞评估可发现、跟踪和帮助你修正潜在数据库漏洞。Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 2.0.02.0.0

限制Limitations

  • 使用 T-SQL 或 SSMS 时,不强制使用适用于 Azure SQL 数据库创建的 Azure 策略。Azure Policy applicable to a Azure SQL Database creation is not enforced when using T-SQL or SSMS.

后续步骤Next steps