last sync: 2021-Jan-15 16:07:21 UTC

Azure Policy definition

Deploy Auditing on SQL servers

Name Deploy Auditing on SQL servers
Azure Portal
Id f4c68484-132f-41f9-9b6d-3e4b1cb55036
Version 1.0.0
details on versioning
Category SQL
Microsoft docs
Description This policy ensures that Auditing is enabled on SQL Servers for enhanced security and compliance. It will automatically create a storage account in the same region as the SQL server to store audit records.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Fixed: DeployIfNotExists
Used RBAC Role
Role Name Role Id
SQL Security Manager 056cd41c-7e88-42e1-933e-88ba6a50c9c3
Storage Account Contributor 17d1049b-9a84-46fb-8f53-869881c3d3ab
History none
Used in Initiatives none
Json
{
  "properties": {
    "displayName": "Deploy Auditing on SQL servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy ensures that Auditing is enabled on SQL Servers for enhanced security and compliance. It will automatically create a storage account in the same region as the SQL server to store audit records.",
    "metadata": {
      "version": "1.0.0",
      "category": "SQL"
    },
    "parameters": {
      "retentionDays": {
        "type": "String",
        "metadata": {
          "description": "The value in days of the retention period (0 indicates unlimited retention)",
          "displayName": "Retention days (optional, 180 days if unspecified)"
        },
        "defaultValue": "180"
      },
      "storageAccountsResourceGroup": {
        "type": "String",
        "metadata": {
          "displayName": "Resource group name for storage accounts",
          "description": "Auditing writes database events to an audit log in your Azure Storage account (a storage account will be created in each region where a SQL Server is created that will be shared by all servers in that region). Important - for proper operation of Auditing do not delete or rename the resource group or the storage accounts.",
          "strongType": "existingResourceGroups"
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers"
      },
      "then": {
        "effect": "DeployIfNotExists",
        "details": {
          "type": "Microsoft.Sql/servers/auditingSettings",
          "name": "Default",
          "existenceCondition": {
            "field": "Microsoft.Sql/auditingSettings.state",
            "equals": "Enabled"
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3",
            "/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "serverName": {
                    "type": "string"
                  },
                  "auditRetentionDays": {
                    "type": "string"
                  },
                  "storageAccountsResourceGroup": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  }
                },
                "variables": {
                "retentionDays": "[int(parameters('auditRetentionDays'))]",
                "subscriptionId": "[subscription().subscriptionId]",
                "uniqueStorage": "[uniqueString(variables('subscriptionId'), parameters('location'), parameters('storageAccountsResourceGroup'))]",
                "locationCode": "[substring(parameters('location'), 0, 3)]",
                "storageName": "[tolower(concat('sqlaudit', variables('locationCode'), variables('uniqueStorage')))]",
                "createStorageAccountDeploymentName": "[concat('sqlServerAuditingStorageAccount-', uniqueString(variables('locationCode'), parameters('serverName')))]"
                },
                "resources": [
                  {
                    "apiVersion": "2017-05-10",
                  "name": "[variables('createStorageAccountDeploymentName')]",
                    "type": "Microsoft.Resources/deployments",
                  "resourceGroup": "[parameters('storageAccountsResourceGroup')]",
                    "properties": {
                      "mode": "Incremental",
                      "parameters": {
                        "location": {
                        "value": "[parameters('location')]"
                        },
                        "storageName": {
                        "value": "[variables('storageName')]"
                        }
                      },
                      "templateLink": {
                        "uri": "https://raw.githubusercontent.com/Azure/azure-policy/master/samples/SQL/deploy-sql-server-auditing/createStorage.template.json",
                        "contentVersion": "1.0.0.0"
                      }
                    }
                  },
                  {
                  "name": "[concat(parameters('serverName'), '/Default')]",
                    "type": "Microsoft.Sql/servers/auditingSettings",
                    "apiVersion": "2017-03-01-preview",
                    "properties": {
                      "state": "Enabled",
                    "storageEndpoint": "[reference(variables('createStorageAccountDeploymentName')).outputs.storageAccountEndPoint.value]",
                    "storageAccountAccessKey": "[reference(variables('createStorageAccountDeploymentName')).outputs.storageAccountKey.value]",
                    "retentionDays": "[variables('retentionDays')]",
                      "auditActionsAndGroups": null,
                    "storageAccountSubscriptionId": "[subscription().subscriptionId]",
                      "isStorageSecondaryKeyInUse": false
                    }
                  }
                ]
              },
              "parameters": {
                "serverName": {
                "value": "[field('name')]"
                },
                "auditRetentionDays": {
                "value": "[parameters('retentionDays')]"
                },
                "storageAccountsResourceGroup": {
                "value": "[parameters('storageAccountsResourceGroup')]"
                },
                "location": {
                "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f4c68484-132f-41f9-9b6d-3e4b1cb55036"
}