last sync: 2021-Oct-22 15:42:38 UTC

Azure Policy definition

Deploy Advanced Data Security on SQL servers

Name Deploy Advanced Data Security on SQL servers
Azure Portal
Id 6134c3db-786f-471e-87bc-8f479dc890f6
Version 1.2.0
details on versioning
Category SQL
Microsoft docs
Description This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Fixed: DeployIfNotExists
Used RBAC Role
Role Name Role Id
SQL Security Manager 056cd41c-7e88-42e1-933e-88ba6a50c9c3
Storage Account Contributor 17d1049b-9a84-46fb-8f53-869881c3d3ab
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-06-08 15:17:13 change Minor (1.1.0 > 1.2.0)
2021-04-27 15:38:15 change Minor (1.0.0 > 1.1.0)
Used in Initiatives none
JSON Changes

JSON
{
  "displayName": "Deploy Advanced Data Security on SQL servers",
  "policyType": "BuiltIn",
  "mode": "Indexed",
  "description": "This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix.",
  "metadata": {
    "version": "1.2.0",
    "category": "SQL"
  },
  "parameters": {},
  "policyRule": {
    "if": {
      "field": "type",
      "equals": "Microsoft.Sql/servers"
    },
    "then": {
      "effect": "DeployIfNotExists",
      "details": {
        "type": "Microsoft.Sql/servers/securityAlertPolicies",
        "name": "Default",
        "existenceCondition": {
          "field": "Microsoft.Sql/securityAlertPolicies.state",
          "equals": "Enabled"
        },
        "roleDefinitionIds": [
          "/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3",
          "/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
        ],
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "serverName": {
                  "type": "string"
                },
                "location": {
                  "type": "string"
                }
              },
              "variables": {
                "serverResourceGroupName": "[resourceGroup().name]",
                "subscriptionId": "[subscription().subscriptionId]",
                "uniqueStorage": "[uniqueString(variables('subscriptionId'), variables('serverResourceGroupName'), parameters('location'))]",
                "storageName": "[tolower(concat('sqlva', variables('uniqueStorage')))]"
              },
              "resources": [
                {
                  "type": "Microsoft.Storage/storageAccounts",
                  "name": "[variables('storageName')]",
                  "apiVersion": "2019-04-01",
                  "location": "[parameters('location')]",
                  "sku": {
                    "name": "Standard_LRS"
                  },
                  "kind": "StorageV2",
                  "properties": {
                    "minimumTlsVersion": "TLS1_2",
                    "supportsHttpsTrafficOnly": "true",
                    "allowBlobPublicAccess": "false"
                  }
                },
                {
                  "name": "[concat(parameters('serverName'), '/Default')]",
                  "type": "Microsoft.Sql/servers/securityAlertPolicies",
                  "apiVersion": "2017-03-01-preview",
                  "properties": {
                    "state": "Enabled",
                    "emailAccountAdmins": true
                  }
                },
                {
                  "name": "[concat(parameters('serverName'), '/Default')]",
                  "type": "Microsoft.Sql/servers/vulnerabilityAssessments",
                  "apiVersion": "2018-06-01-preview",
                  "properties": {
                    "storageContainerPath": "[concat(reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageName'))).primaryEndpoints.blob, 'vulnerability-assessment')]",
                    "storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageName')), '2018-02-01').keys[0].value]",
                    "recurringScans": {
                      "isEnabled": true,
                      "emailSubscriptionAdmins": true,
                      "emails": []
                    }
                  },
                  "dependsOn": [
                    "[concat('Microsoft.Storage/storageAccounts/', variables('storageName'))]",
                    "[concat('Microsoft.Sql/servers/', parameters('serverName'), '/securityAlertPolicies/Default')]"
                  ]
                }
              ]
            },
            "parameters": {
              "serverName": {
                "value": "[field('name')]"
              },
              "location": {
                "value": "[field('location')]"
              }
            }
          }
        }
      }
    }
  }
}