Control types for @turbot/azure-sql
- Azure > SQL > Database > Active
- Azure > SQL > Database > Advanced Data Security
- Azure > SQL > Database > Approved
- Azure > SQL > Database > Auditing
- Azure > SQL > Database > CMDB
- Azure > SQL > Database > Discovery
- Azure > SQL > Database > Encryption at Rest
- Azure > SQL > Database > Tags
- Azure > SQL > Elastic Pool > Active
- Azure > SQL > Elastic Pool > Approved
- Azure > SQL > Elastic Pool > CMDB
- Azure > SQL > Elastic Pool > Discovery
- Azure > SQL > Elastic Pool > Tags
- Azure > SQL > Server > Active
- Azure > SQL > Server > Active Directory Administrator
- Azure > SQL > Server > Advanced Data Security
- Azure > SQL > Server > Approved
- Azure > SQL > Server > Auditing
- Azure > SQL > Server > CMDB
- Azure > SQL > Server > Discovery
- Azure > SQL > Server > Firewall
- Azure > SQL > Server > Firewall > IP Ranges
- Azure > SQL > Server > Firewall > IP Ranges > Approved
- Azure > SQL > Server > Tags
Azure > SQL > Database > Active
Take an action when an Azure SQL database is not active based on theAzure > SQL > Database > Active > * policies.
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > SQL > Database > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note: In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/azure-sql#/control/types/databaseActiveAzure > SQL > Database > Advanced Data Security
Define the advanced data security settings required for Azure > SQL > Database.
Advanced data security for SQL Database includes functionality for surfacing and mitigating potential database
vulnerabilities and detecting anomalous activities that could indicate a threat to your database. The Advanced
data security package provides administrators with a single go-to location for discovering and classifying data,
assessing and addressing potential database vulnerabilities, and visibility into anomalous and potentially malicious
activity that is taking place.
Advanced data security can be defined for a specific database or as a default server policy. A server policy
applies to all existing and newly created databases on the server. Azure recommends to enable only server-level
data security and leave the database-level data security disabled for all databases.
The Advanced data security control compares the vulnerability assessment and threat protection settings against
the advanced data security policies for the resource (Azue > SQL > Database > Advanced Data Security > *),
raises an alarm, and takes the defined enforcement action.
tmod:@turbot/azure-sql#/control/types/databaseDataSecurityAzure > SQL > Database > Approved
Take an action when an Azure SQL database is not approved based on Azure > SQL > Database > Approved > * policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/azure-sql#/control/types/databaseApprovedAzure > SQL > Database > Auditing
Define the Auditing settings required for Azure > SQL > Database.
Auditing for Azure SQL Database tracks database events and writes them to an audit log
in your Azure Storage account, Log Analytics workspace or Event Hubs. This control
determines whether the resource auditing is set to your desired Azure Storage account with desired
retention days.
An auditing policy can be defined for a specific database or as a default server policy. A server policy
applies to all existing and newly created databases on the server. Azure recommends to enable only server-level
blob auditing and leave the database-level auditing disabled for all databases.
The Auditing control compares the auditing settings against the auditing policies for the resource
(Azue > SQL > Database > Auditing > *), raises an alarm, and takes the defined enforcement action
tmod:@turbot/azure-sql#/control/types/databaseAuditingAzure > SQL > Database > CMDB
Record and synchronize details for the Azure SQL database into the CMDB.
The CMDB control is
responsible for populating and updating all the attributes for that
resource type in the Guardrails CMDB.
Note: If CMDB is set to Skip for a resource, then it will not be added
to the CMDB, and no controls that target it will run.
CMDB controls also use the Regions policy associated with the resource. If
region is not in Azure > SQL > Database > Regions policy, the CMDB control will delete the
resource from the CMDB.
tmod:@turbot/azure-sql#/control/types/databaseCmdbAzure > SQL > Database > Discovery
Discover all Azure SQL database resources and add them to the CMDB.
The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
Note: Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in Azure > SQL > Database > Regions policy, the CMDB control will delete the resource from the CMDB.
tmod:@turbot/azure-sql#/control/types/databaseDiscoveryAzure > SQL > Database > Encryption at Rest
Define the Encryption at Rest settings required for Azure > SQL > Database.
Encryption at Rest refers specifically to the encryption of data when written
to an underlying storage system. This control determines whether the resource
is encrypted at rest, and sets encryption.
The Encryption at Rest control compares the encryption settings against the
encryption policies for the resource
(Azure > SQL > Database > Encryption at Rest),
raises an alarm, and takes the defined enforcement action.
tmod:@turbot/azure-sql#/control/types/databaseEncryptionAtRestAzure > SQL > Database > Tags
Take an action when an Azure SQL database tags is not updated based on the Azure > SQL > Database > Tags > * policies.
If the resource is not updated with the tags defined in Azure > SQL > Database > Tags > Template, this control raises an alarm and takes the defined enforcement action.
See Tags for more information.
tmod:@turbot/azure-sql#/control/types/databaseTagsAzure > SQL > Elastic Pool > Active
Take an action when an Azure SQL elastic pool is not active based on theAzure > SQL > Elastic Pool > Active > * policies.
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > SQL > Elastic Pool > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note: In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/azure-sql#/control/types/elasticPoolActiveAzure > SQL > Elastic Pool > Approved
Take an action when an Azure SQL elastic pool is not approved based on Azure > SQL > Elastic Pool > Approved > * policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/azure-sql#/control/types/elasticPoolApprovedAzure > SQL > Elastic Pool > CMDB
Record and synchronize details for the Azure SQL elastic pool into the CMDB.
The CMDB control is
responsible for populating and updating all the attributes for that
resource type in the Guardrails CMDB.
Note: If CMDB is set to Skip for a resource, then it will not be added
to the CMDB, and no controls that target it will run.
CMDB controls also use the Regions policy associated with the resource. If
region is not in Azure > SQL > Elastic Pool > Regions policy, the CMDB control will delete the
resource from the CMDB.
tmod:@turbot/azure-sql#/control/types/elasticPoolCmdbAzure > SQL > Elastic Pool > Discovery
Discover all Azure SQL elastic pool resources and add them to the CMDB.
The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
Note: Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in Azure > SQL > Elastic Pool > Regions policy, the CMDB control will delete the resource from the CMDB.
tmod:@turbot/azure-sql#/control/types/elasticPoolDiscoveryAzure > SQL > Elastic Pool > Tags
Take an action when an Azure SQL elastic pool tags is not updated based on the Azure > SQL > Elastic Pool > Tags > * policies.
If the resource is not updated with the tags defined in Azure > SQL > Elastic Pool > Tags > Template, this control raises an alarm and takes the defined enforcement action.
See Tags for more information.
tmod:@turbot/azure-sql#/control/types/elasticPoolTagsAzure > SQL > Server > Active
Take an action when an Azure SQL server is not active based on theAzure > SQL > Server > Active > * policies.
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > SQL > Server > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note: In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/azure-sql#/control/types/serverActiveAzure > SQL > Server > Active Directory Administrator
Define the Active Directory Administrator settings required for Azure > SQL > Server.
The Active Directory Administrator control determines what should be the active directory authentication value set for Azure SQL Server.
Enabling active directory authentication on a SQL server permits you to centrally manage identity and access Azure SQL Database.
tmod:@turbot/azure-sql#/control/types/serverActiveDirectoryAdministratorAzure > SQL > Server > Advanced Data Security
Define the advanced data security settings required for Azure > SQL > Server.
Advanced data security for SQL Server includes functionality for surfacing and mitigating potential database
vulnerabilities and detecting anomalous activities that could indicate a threat to your server. The Advanced
data security package provides administrators with a single go-to location for discovering and classifying data,
assessing and addressing potential database vulnerabilities, and visibility into anomalous and potentially malicious
activity that is taking place.
Advanced data security can be defined for a specific database or as a default server policy. A server policy
applies to all existing and newly created databases on the server. Azure recommends to enable only server-level
data security and leave the database-level data security disabled for all databases.
The Advanced data security control compares the vulnerability assessment and threat protection settings against
the advanced data security policies for the resource (Azue > SQL > Server > Advanced Data Security > *),
raises an alarm, and takes the defined enforcement action.
tmod:@turbot/azure-sql#/control/types/serverDataSecurityAzure > SQL > Server > Approved
Take an action when an Azure SQL server is not approved based on Azure > SQL > Server > Approved > * policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/azure-sql#/control/types/serverApprovedAzure > SQL > Server > Auditing
Define the auditing settings required for Azure > SQL > Server.
Auditing for Azure SQL Server tracks server events and writes them to an audit log
in your Azure Storage account, Log Analytics workspace or Event Hubs. This control
determines whether the resource auditing is set to your desired Azure Storage account with desired
retention days.
An auditing policy can be defined for a specific database or as a default server policy. A server policy
applies to all existing and newly created databases on the server. Azure recommends to enable only server-level
blob auditing and leave the database-level auditing disabled for all databases.
The Auditing control compares the auditing settings against the auditing policies for the resource
(Azue > SQL > Server > Auditing > *), raises an alarm, and takes the defined enforcement action
tmod:@turbot/azure-sql#/control/types/serverAuditingAzure > SQL > Server > CMDB
Record and synchronize details for the Azure SQL server into the CMDB.
The CMDB control is
responsible for populating and updating all the attributes for that
resource type in the Guardrails CMDB.
Note: If CMDB is set to Skip for a resource, then it will not be added
to the CMDB, and no controls that target it will run.
CMDB controls also use the Regions policy associated with the resource. If
region is not in Azure > SQL > Server > Regions policy, the CMDB control will delete the
resource from the CMDB.
tmod:@turbot/azure-sql#/control/types/serverCmdbAzure > SQL > Server > Discovery
Discover all Azure SQL server resources and add them to the CMDB.
The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
Note: Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in Azure > SQL > Server > Regions policy, the CMDB control will delete the resource from the CMDB.
tmod:@turbot/azure-sql#/control/types/serverDiscoveryAzure > SQL > Server > Firewall
tmod:@turbot/azure-sql#/control/types/serverFirewallAzure > SQL > Server > Firewall > IP Ranges
tmod:@turbot/azure-sql#/control/types/serverFirewallIpRangesAzure > SQL > Server > Firewall > IP Ranges > Approved
Configure firewall IP address range checking. This control defines whether
to verify the firewall IP address ranges are approved, as well as the
subsequent action to take on unapproved items. Rules for all Approved
policies will be compiled in Approved > Compiled Rules and then
evaluated.
If set to Enforce: Delete unapproved, any unapproved IP address ranges
will be deleted from the firewall.
tmod:@turbot/azure-sql#/control/types/serverFirewallIpRangesApprovedAzure > SQL > Server > Tags
Take an action when an Azure SQL server tags is not updated based on the Azure > SQL > Server > Tags > * policies.
If the resource is not updated with the tags defined in Azure > SQL > Server > Tags > Template, this control raises an alarm and takes the defined enforcement action.
See Tags for more information.
tmod:@turbot/azure-sql#/control/types/serverTags