Azure SQL 数据库和 SQL 托管实例的 Azure Policy 内置定义Azure Policy built-in definitions for Azure SQL Database & SQL Managed Instance

适用于: 是Azure SQL 数据库是Azure SQL 托管实例是Azure Synapse Analytics (SQL DW) APPLIES TO: yesAzure SQL Database yesAzure SQL Managed Instance yes Azure Synapse Analytics (SQL DW)

此页是 Azure SQL 数据库和 SQL 托管实例的 Azure Policy 内置策略定义的索引。This page is an index of Azure Policy built-in policy definitions for Azure SQL Database and SQL Managed Instance. 有关其他服务的其他 Azure Policy 内置定义,请参阅 Azure Policy 内置定义For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

每个内置策略定义链接(指向 Azure 门户中的策略定义)的名称。The name of each built-in policy definition links to the policy definition in the Azure portal. 使用“版本”列中的链接查看 Azure Policy GitHub 存储库上的源。Use the link in the Version column to view the source on the Azure Policy GitHub repo.

Azure SQL 数据库和 SQL 托管实例Azure SQL Database & SQL Managed Instance

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
SQL 托管实例的“高级数据安全性”设置应包含用于接收安全警报的电子邮件地址Advanced data security settings for SQL managed instance should contain an email address to receive security alerts 确保为“高级数据安全性”服务器设置中的“将警报发送到”字段提供电子邮件地址。Ensure that an email address is provided for the 'Send alerts to' field in the Advanced Data Security server settings. 在 SQL 托管实例上检测到异常活动时,此电子邮件地址将会收到警报通知。This email address receives alert notifications when anomalous activities are detected on SQL managed instances. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
SQL 服务器的“高级数据安全性”设置应包含用于接收安全警报的电子邮件地址Advanced data security settings for SQL server should contain an email address to receive security alerts 确保为“高级数据安全性”服务器设置中的“将警报发送到”字段提供电子邮件地址。Ensure that an email address is provided for the 'Send alerts to' field in the Advanced Data Security server settings. 在 SQL 服务器上检测到异常活动时,此电子邮件地址将会收到警报通知。This email address receives alert notifications when anomalous activities are detected on SQL servers. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在 SQL 托管实例上启用高级数据安全性Advanced data security should be enabled on your SQL managed instances 审核没有高级数据安全的 SQL 托管实例Audit SQL managed instances without Advanced Data Security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在 SQL 服务器上启用高级数据安全性Advanced data security should be enabled on your SQL servers 审核没有高级数据安全的 SQL 服务器Audit SQL servers without Advanced Data Security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在 SQL 托管实例的“高级数据安全性”设置中将“高级威胁保护类型”设置为“所有”Advanced Threat Protection types should be set to 'All' in SQL managed instance Advanced Data Security settings 建议在 SQL 服务器上启用所有高级威胁防护类型。It is recommended to enable all Advanced Threat Protection types on your SQL servers. 启用所有类型可以防范 SQL 注入、数据库漏洞和任何其他异常活动。Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在 SQL 服务器的“高级数据安全性”设置中将“高级威胁保护类型”设置为“所有”Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings 建议在 SQL 服务器上启用所有高级威胁防护类型。It is recommended to enable all Advanced Threat Protection types on your SQL servers. 启用所有类型可以防范 SQL 注入、数据库漏洞和任何其他异常活动。Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应该为 SQL 服务器预配 Azure Active Directory 管理员An Azure Active Directory administrator should be provisioned for SQL servers 审核确认已为 SQL Server 预配了 Azure Active Directory 管理员以启用 Azure AD 身份验证。Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. 使用 Azure AD 身份验证可以简化权限管理,以及集中化数据库用户和其他 Microsoft 服务的标识管理Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应启用 SQL 服务器上的审核Auditing on SQL server should be enabled 应在 SQL 服务器上启用审核以跟踪服务器上所有数据库的数据库活动,并将其保存在审核日志中。Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
在 SQL 服务器上部署高级数据安全Deploy Advanced Data Security on SQL servers 此策略在 SQL 服务器上启用高级数据安全性。This policy enables Advanced Data Security on SQL Servers. 这包括启用威胁检测和漏洞评估。This includes turning on Threat Detection and Vulnerability Assessment. 它自动在 SQL 服务器所在的同一区域和资源组中,创建一个带有“sqlva”前缀存储帐户用于存储扫描结果。It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix. DeployIfNotExistsDeployIfNotExists 1.0.01.0.0 链接Link
对 SQL 服务器部署审核Deploy Auditing on SQL servers 此策略确保在 SQL 服务器上启用审核,以增强安全性与合规性。This policy ensures that Auditing is enabled on SQL Servers for enhanced security and compliance. 它自动在 SQL 服务器所在的同一区域中创建一个存储帐户用于存储审核记录。It will automatically create a storage account in the same region as the SQL server to store audit records. DeployIfNotExistsDeployIfNotExists 1.0.01.0.0 链接Link
将 Azure SQL 数据库的诊断设置部署到事件中心Deploy Diagnostic Settings for Azure SQL Database to Event Hub 在创建或更新缺少 Azure SQL 数据库的诊断设置的 Azure SQL 数据库时,将此诊断设置流式部署到区域事件中心。Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is created or updated. DeployIfNotExistsDeployIfNotExists 1.0.01.0.0 链接Link
部署 SQL DB 透明数据加密Deploy SQL DB transparent data encryption 在 SQL 数据库上启用透明数据加密Enables transparent data encryption on SQL databases DeployIfNotExistsDeployIfNotExists 1.0.01.0.0 链接Link
在 SQL 服务器上部署威胁检测Deploy Threat Detection on SQL servers 此策略可确保在 SQL 服务器上启用威胁检测。This policy ensures that Threat Detection is enabled on SQL Servers. DeployIfNotExistsDeployIfNotExists 1.0.01.0.0 链接Link
应在 SQL 托管实例高级数据安全设置中启用“向管理员和订阅所有者发送电子邮件通知”Email notifications to admins and subscription owners should be enabled in SQL managed instance advanced data security settings 审核是否已在 SQL 托管实例高级威胁防护设置中启用“向管理员和订阅所有者发送电子邮件通知”。Audit that 'email notification to admins and subscription owners' is enabled in the SQL managed instance advanced threat protection settings. 这可以确保尽快向管理员报告在 SQL 托管实例上检测到的任何异常活动。This ensures that any detections of anomalous activities on SQL managed instance are reported as soon as possible to the admins. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在 SQL 服务器高级数据安全设置中为管理员和订阅所有者启用电子邮件通知Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings 审核是否已在 SQL 服务器高级威胁防护设置中启用“向管理员和订阅所有者发送电子邮件通知”。Audit that 'email notification to admins and subscription owners' is enabled in the SQL server advanced threat protection settings. 这可以确保尽快向管理员报告在 SQL 服务器上检测到的任何异常活动。This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应为 Azure SQL 数据库启用长期异地冗余备份Long-term geo-redundant backup should be enabled for Azure SQL Databases 此策略将审核未启用长期异地冗余备份的任何 Azure SQL 数据库。This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应对 SQL 数据库中的敏感数据进行分类Sensitive data in your SQL databases should be classified Azure 安全中心监视 SQL 数据库的数据发现和分类扫描结果,并建议将数据库中的敏感数据分类以改善监视效果并提升安全性Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.0-preview1.0.0-preview 链接Link
SQL 审核设置中应包含配置为捕获关键活动的操作组SQL Auditing settings should have Action-Groups configured to capture critical activities AuditActionsAndGroups 属性应至少包含 SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP FAILED_DATABASE_AUTHENTICATION_GROUP、BATCH_COMPLETED_GROUP 以确保全面审核日志记录The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough audit logging AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应使用自己的密钥加密 SQL 托管实例的 TDE 保护器SQL managed instance TDE protector should be encrypted with your own key 使用你自己的密钥支持的透明数据加密(TDE)增加了透明度和对 TDE 保护器的控制,增强了由 HSM 提供支持的外部服务的安全性,并促进了职责划分。Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
SQL Server 应使用虚拟网络服务终结点SQL Server should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的 SQL Server。This policy audits any SQL Server not configured to use a virtual network service endpoint. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应使用自己的密钥加密 SQL 服务器的 TDE 保护器SQL server TDE protector should be encrypted with your own key 使用你自己的密钥支持的透明数据加密(TDE)增加了透明度和对 TDE 保护器的控制,增强了由 HSM 提供支持的外部服务的安全性,并促进了职责划分。Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应将 SQL 服务器的审核保留期配置为大于 90 天SQL servers should be configured with auditing retention days greater than 90 days. 审核配置的审核保持期少于 90 天的 SQL 服务器。Audit SQL servers configured with an auditing retention period of less than 90 days. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应在 SQL 数据库上启用透明数据加密Transparent Data Encryption on SQL databases should be enabled 应启用透明数据加密以保护静态数据并满足符合性要求Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应修复 SQL 数据库中的漏洞Vulnerabilities on your SQL databases should be remediated 监视漏洞评估扫描结果并提供如何补救数据库漏洞的相关建议。Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
SQL 服务器的漏洞评估设置应包含用来接收扫描报告的电子邮件地址Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports 确保为漏洞评估设置中的“将扫描报告发送到”字段提供电子邮件地址。Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. 在 SQL 服务器上运行定期扫描后,此电子邮件地址将收到扫描结果摘要。This email address receives scan result summary after a periodic scan runs on SQL servers. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应对 SQL 托管实例启用漏洞评估Vulnerability assessment should be enabled on your SQL managed instances 审核未启用定期漏洞评估扫描的 SQL 托管实例。Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. 漏洞评估可发现、跟踪和帮助你修正潜在数据库漏洞。Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link
应对 SQL 服务器启用漏洞评估Vulnerability assessment should be enabled on your SQL servers 审核未启用定期漏洞评估扫描的 Azure SQL 服务器。Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. 漏洞评估可发现、跟踪和帮助你修正潜在数据库漏洞。Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists、DisabledAuditIfNotExists, Disabled 1.0.01.0.0 链接Link

后续步骤Next steps