prowler-cloud 5.17.1__py3-none-any.whl → 5.18.1__py3-none-any.whl

prowler/providers/azure/services/sqlserver/sqlserver_azuread_administrator_enabled/sqlserver_azuread_administrator_enabled.metadata.json

@@ -1,30 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "sqlserver_azuread_administrator_enabled",
-  "CheckTitle": "Ensure that SQL Servers have an Azure Active Directory administrator",
+  "CheckTitle": "SQL Server has an Azure Active Directory administrator configured",
   "CheckType": [],
   "ServiceName": "sqlserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "SQLServer",
+  "ResourceType": "microsoft.sql/servers",
   "ResourceGroup": "database",
-  "Description": "Ensure that there is an Azure Active Directory administrator configured",
-  "Risk": "Azure Active Directory provides a centralized way of managing identities. Using local SQL administrator identites makes it more difficult to manage user accounts. In addition, from Azure Active Directory, security policies can be enforced to users in centralized way.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication",
+  "Description": "**Azure SQL Server** is configured with a **Microsoft Entra (Azure AD) administrator** at the server scope, indicated by `administrator_type` set to `ActiveDirectory`.",
+  "Risk": "Without a **Microsoft Entra admin**, the server can't use Entra identities, pushing reliance on **SQL authentication**. This weakens confidentiality and integrity: no MFA/conditional access, harder offboarding and auditing, and compromised passwords can enable unauthorized data access and privilege escalation.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Sql/active-directory-admin.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az sql server ad-admin create --resource-group resource_group_name --server server_name --display-name display_name --object-id user_object_id",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Sql/active-directory-admin.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-azure-active-directory-admin-is-configured#terraform"
+      "CLI": "az sql server ad-admin create --resource-group <RESOURCE_GROUP> --server <SERVER_NAME> --display-name <AAD_ADMIN_NAME> --object-id <AAD_OBJECT_ID>",
+      "NativeIaC": "```bicep\n// Configure Microsoft Entra (Azure AD) admin on an existing SQL Server\nresource aadAdmin 'Microsoft.Sql/servers/administrators@2021-11-01' = {\n  name: '<example_resource_name>/ActiveDirectory' // serverName/ActiveDirectory\n  properties: {\n    administratorType: 'ActiveDirectory' // CRITICAL: ensures admin type is AAD\n    login: '<AAD_ADMIN_NAME>'             // CRITICAL: AAD admin display name\n    sid: '<AAD_OBJECT_ID>'                // CRITICAL: AAD object (GUID)\n    tenantId: '<TENANT_ID>'               // CRITICAL: Tenant where the AAD object exists\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to SQL servers and select <SERVER_NAME>\n2. Select Active Directory admin\n3. Click Set admin\n4. Select the desired Microsoft Entra user or group and click Select\n5. Click Save",
+      "Terraform": "```hcl\n# Set Microsoft Entra (Azure AD) admin on an existing SQL Server\nresource \"azurerm_mssql_active_directory_administrator\" \"<example_resource_name>\" {\n  server_id = \"<example_resource_id>\"  # CRITICAL: target SQL server resource ID\n  login     = \"<AAD_ADMIN_NAME>\"        # CRITICAL: AAD admin display name\n  object_id = \"<AAD_OBJECT_ID>\"         # CRITICAL: AAD object (GUID)\n  tenant_id = \"<TENANT_ID>\"             # CRITICAL: Tenant where the AAD object exists\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable an Azure Active Directory administrator",
-      "Url": ""
+      "Text": "Assign a **Microsoft Entra administrator** (prefer a security group) at the server level and manage access via Entra groups. Enforce **least privilege**, require **MFA/conditional access**, and use **managed identities** for services. *If feasible*, adopt Entra-only authentication and phase out shared SQL logins.",
+      "Url": "https://hub.prowler.com/check/sqlserver_azuread_administrator_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/sqlserver/sqlserver_microsoft_defender_enabled/sqlserver_microsoft_defender_enabled.metadata.json

@@ -1,30 +1,40 @@
 {
   "Provider": "azure",
   "CheckID": "sqlserver_microsoft_defender_enabled",
-  "CheckTitle": "Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers",
+  "CheckTitle": "SQL Server has Microsoft Defender for SQL enabled",
   "CheckType": [],
   "ServiceName": "sqlserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "SQLServer",
+  "Severity": "high",
+  "ResourceType": "microsoft.sql/servers",
   "ResourceGroup": "database",
-  "Description": "Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers",
-  "Risk": "Microsoft Defender for SQL is a unified package for advanced SQL security capabilities. Microsoft Defender is available for Azure SQL Database, Azure SQL Managed  classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database. It provides a single go-to location for enabling and managing these capabilities.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql?view=azuresql",
+  "Description": "**Azure SQL Server** instances are evaluated for the server-level **security alert policy** of **Microsoft Defender for SQL**, expecting the policy state to be `Enabled`.",
+  "Risk": "Without **Defender for SQL**, anomalous logins, SQL injection patterns, and risky configurations may go undetected, enabling data exfiltration (**confidentiality**), unauthorized changes (**integrity**), and disruptive queries or ransomware (**availability**).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.azadvertizer.net/azpolicyadvertizer/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2.html",
+    "https://learn.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql?view=azuresql",
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-sql-usage",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/SecurityCenter/defender-azure-sql.html",
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/policy-reference"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/SecurityCenter/defender-azure-sql.html",
-      "Terraform": ""
+      "CLI": "az rest --method PUT --url \"https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Sql/servers/<SERVER_NAME>/securityAlertPolicies/Default?api-version=2023-08-01-preview\" --body '{\"properties\":{\"state\":\"Enabled\"}}'",
+      "NativeIaC": "```bicep\nparam serverName string = '<example_resource_name>'\n\nresource securityAlert 'Microsoft.Sql/servers/securityAlertPolicies@2021-11-01' = {\n  name: '${serverName}/Default'\n  properties: {\n    state: 'Enabled' // Critical: enables the server's security alert policy (Defender for SQL)\n  }\n}\n```",
+      "Other": "1. Sign in to the Azure portal > SQL servers > select <SERVER_NAME>\n2. Under Security, select Microsoft Defender for SQL (or Microsoft Defender for Cloud)\n3. Toggle to On (Enable) and click Save",
+      "Terraform": "```hcl\nresource \"azurerm_mssql_server_security_alert_policy\" \"<example_resource_name>\" {\n  server_id = \"<example_resource_id>\"\n  state     = \"Enabled\" # Critical: enables the server's security alert policy (Defender for SQL)\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Go to SQL servers For each production SQL server instance: 2. Click Microsoft Defender for Cloud 3. Click Enable Microsoft Defender for SQL",
-      "Url": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-sql-usage"
+      "Text": "Enable **Microsoft Defender for SQL** across all servers and managed instances, preferably at subscription scope. Apply **least privilege**, restrict public exposure, and integrate alerts with your SOC. Regularly review **vulnerability assessment** results and harden findings as part of **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/sqlserver_microsoft_defender_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging",
+    "forensics-ready"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Microsoft Defender for SQL is a paid feature and will incur additional cost for each SQL server."

prowler/providers/azure/services/sqlserver/sqlserver_recommended_minimal_tls_version/sqlserver_recommended_minimal_tls_version.metadata.json

@@ -1,30 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "sqlserver_recommended_minimal_tls_version",
-  "CheckTitle": "Ensure SQL server has a recommended minimal TLS version required.",
+  "CheckTitle": "SQL server enforces minimal TLS version 1.2 or 1.3",
   "CheckType": [],
   "ServiceName": "sqlserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "SQLServer",
+  "ResourceType": "microsoft.sql/servers",
   "ResourceGroup": "database",
-  "Description": "Ensure that SQL Server instances are configured with the recommended minimal TLS version to maintain secure connections.",
-  "Risk": "Using outdated or weak TLS versions can expose SQL Server instances to vulnerabilities, increasing the risk of data breaches and unauthorized access.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal#configure-minimum-tls-version",
+  "Description": "**Azure SQL logical servers** are assessed for the configured **minimum TLS version** for client connections. The finding determines whether the minimal accepted version aligns with recommended modern values such as `1.2` or `1.3`.",
+  "Risk": "Without a modern minimum, clients can negotiate **weak TLS** or be downgraded, enabling **MITM** and decryption. This jeopardizes **confidentiality** (credential/data exposure) and **integrity** (query tampering), and may disrupt **availability** via session resets during handshake interference.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Sql/db-minimum-tls-version-check.html",
+    "https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal#configure-minimum-tls-version",
+    "https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/minimal-tls-version-configure?view=azuresql"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az sql server update -n sql-server-name -g sql-server-group --set minimalTlsVersion=<version>",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "az sql server update -n <SQL_SERVER_NAME> -g <RESOURCE_GROUP> --set minimalTlsVersion=\"1.2\"",
+      "NativeIaC": "```bicep\n// Update Azure SQL logical server to enforce minimum TLS 1.2\nresource sqlServer 'Microsoft.Sql/servers@2021-11-01' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  properties: {\n    minimalTlsVersion: '1.2' // Critical: Enforces TLS 1.2+ for client connections\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to SQL servers and select your server\n2. Open Networking > Connectivity\n3. Set Minimum TLS Version to 1.2 (or 1.3)\n4. Click Save",
+      "Terraform": "```hcl\n# Enforce minimum TLS 1.2 on Azure SQL logical server\nresource \"azurerm_mssql_server\" \"<example_resource_name>\" {\n  name                         = \"<example_resource_name>\"\n  resource_group_name          = \"<example_resource_name>\"\n  location                     = \"<example_location>\"\n  version                      = \"12.0\"\n  administrator_login          = \"<example_admin>\"\n  administrator_login_password = \"<example_password>\"\n\n  minimum_tls_version = \"1.2\" # Critical: Enforces TLS 1.2+ for client connections\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Go to Azure SQL Server 2. Navigate to 'Security' -> 'Networking' 3. Select 'Connectivity' 4. Update the TLS version in the field 'Minimum TLS version' to a recommended minimal version (e.g., TLS 1.2).",
-      "Url": "https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal#configure-minimum-tls-version"
+      "Text": "Set the **minimum TLS** to `1.2` or higher (prefer `1.3` when supported). Upgrade client libraries and OS trust stores; remove legacy protocols and weak ciphers to prevent downgrades. Validate compatibility before enforcement and monitor connections for outdated TLS. Uphold **encryption in transit** and **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/sqlserver_recommended_minimal_tls_version"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Verify support for the TLS version from the application side before changing the minimal version."

prowler/providers/azure/services/sqlserver/sqlserver_tde_encrypted_with_cmk/sqlserver_tde_encrypted_with_cmk.metadata.json

@@ -1,30 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "sqlserver_tde_encrypted_with_cmk",
-  "CheckTitle": "Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key",
+  "CheckTitle": "SQL server uses a customer-managed key for the TDE protector and all databases have TDE enabled",
   "CheckType": [],
   "ServiceName": "sqlserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "SQLServer",
+  "Severity": "critical",
+  "ResourceType": "microsoft.sql/servers",
   "ResourceGroup": "database",
-  "Description": "Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.",
-  "Risk": "Customer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azure cloud-based external key management system, is the first key management service where TDE has integrated support for Customer-managed keys. With Customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-byok-azure-sql",
+  "Description": "**Azure SQL Server** uses **Transparent Data Encryption** with a **customer-managed key** in Azure Key Vault, and each database has TDE `Enabled`",
+  "Risk": "Without **TDE with CMK**, data at rest may be unencrypted or controlled by service keys, weakening **confidentiality** and **key custody**. Attackers or insiders could read backups, snapshots, or stolen disks, and you cannot enforce **rotation**, **revocation**, or **separation of duties**, raising compliance and incident response risks.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Sql/use-byok-for-transparent-data-encryption.html#",
+    "https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql",
+    "https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql&tabs=azurekeyvault%2Cazurekeyvaultrequirements%2Cazurekeyvaultrecommendations"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az sql server tde-key set --resource-group resourceName --server dbServerName --server-key-type {AzureKeyVault} --kid keyIdentifier",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Sql/use-byok-for-transparent-data-encryption.html#",
-      "Terraform": ""
+      "CLI": "az rest --method PUT --url \"https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Sql/servers/<SERVER_NAME>/encryptionProtector/current?api-version=2021-11-01\" --body '{\"properties\":{\"serverKeyType\":\"AzureKeyVault\",\"serverKeyName\":\"<KEY_VAULT_NAME>_<KEY_NAME>_<KEY_VERSION>\"}}' && az sql db tde set --resource-group <RESOURCE_GROUP> --server <SERVER_NAME> --database <DATABASE_NAME> --status Enabled",
+      "NativeIaC": "```bicep\n// Add the Key Vault key to the SQL server\nresource serverKey 'Microsoft.Sql/servers/keys@2021-11-01' = {\n  name: '<example_resource_name>/<example_resource_name>'\n  properties: {\n    serverKeyType: 'AzureKeyVault' // critical: use a customer-managed key from Azure Key Vault\n    uri: 'https://<example_resource_name>.vault.azure.net/keys/<example_resource_name>/<example_resource_id>' // critical: KID of the Key Vault key\n  }\n}\n\n// Set the server TDE protector to the Key Vault key (CMK)\nresource encryptionProtector 'Microsoft.Sql/servers/encryptionProtector@2021-11-01' = {\n  name: '<example_resource_name>/current'\n  properties: {\n    serverKeyType: 'AzureKeyVault' // critical: switches protector from service-managed to CMK\n    serverKeyName: '<example_resource_name>' // critical: reference the key added above\n  }\n}\n\n// Ensure TDE is enabled on the database\nresource dbTde 'Microsoft.Sql/servers/databases/transparentDataEncryption@2014-04-01' = {\n  name: '<example_resource_name>/<example_resource_name>/current'\n  properties: {\n    status: 'Enabled' // critical: turns on TDE for the database\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to SQL servers > select <server>\n2. Under Security, open Transparent data encryption\n3. Select Customer-managed key and choose the key from Azure Key Vault, then Save\n4. For each database on this server: go to SQL databases > select <database> > Transparent data encryption\n5. Set Status to On and Save",
+      "Terraform": "```hcl\n# Set the SQL Server TDE protector to a Key Vault CMK\nresource \"azurerm_mssql_server_transparent_data_encryption\" \"<example_resource_name>\" {\n  server_id        = \"<example_resource_id>\"\n  key_vault_key_id = \"<key_vault_key_id>\" # critical: KID of the Key Vault key to use as TDE protector\n}\n\n# Ensure TDE is enabled on the database\nresource \"azurerm_mssql_database\" \"<example_resource_name>\" {\n  name      = \"<example_resource_name>\"\n  server_id = \"<example_resource_id>\"\n\n  transparent_data_encryption_enabled = true # critical: turns on TDE for the database\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Go to SQL servers For the desired server instance 2. Click On Transparent data encryption 3. Set Transparent data encryption to Customer-managed key 4. Browse through your key vaults to Select an existing key or create a new key in the Azure Key Vault. 5. Check Make selected key the default TDE protector",
-      "Url": "https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql"
+      "Text": "Use a **customer-managed TDE protector** in Azure Key Vault or Managed HSM and ensure TDE is `Enabled` for every database.\n- Apply **least privilege** to key access\n- Enable **rotation** and monitor key use\n- Protect keys with soft-delete and purge protection\n- Enforce via **policy** and maintain key backups for restores",
+      "Url": "https://hub.prowler.com/check/sqlserver_tde_encrypted_with_cmk"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Once TDE protector is encrypted with a Customer-managed key, it transfers entire responsibility of respective key management on to you, and hence you should be more careful about doing any operations on the particular key in order to keep data from corresponding SQL server and Databases hosted accessible. When deploying Customer Managed Keys, it is prudent to ensure that you also deploy an automated toolset for managing these keys (this should include discovery and key rotation), and Keys should be stored in an HSM or hardware backed keystore, such as Azure Key Vault. As far as toolsets go, check with your cryptographic key provider, as they may well provide one as an add-on to their service."

prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled/sqlserver_tde_encryption_enabled.metadata.json

@@ -1,30 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "sqlserver_tde_encryption_enabled",
-  "CheckTitle": "Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted",
+  "CheckTitle": "SQL database has Transparent Data Encryption (TDE) enabled",
   "CheckType": [],
   "ServiceName": "sqlserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "SQLServer",
+  "Severity": "high",
+  "ResourceType": "microsoft.sql/servers/databases",
   "ResourceGroup": "database",
-  "Description": "Enable Transparent Data Encryption on every SQL server.",
-  "Risk": "Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database",
+  "Description": "**Azure SQL user databases** have **Transparent Data Encryption** (`TDE`) enabled, ensuring encryption of database files, backups, and transaction logs at rest.\n\n*The `master` system database is excluded from evaluation.*",
+  "Risk": "Without **TDE**, data at rest remains unencrypted:\n- Stolen backups, snapshots, or compromised storage enable offline data disclosure\n- Attackers with substrate access can bypass DB auth, harming **confidentiality** and enabling **exfiltration**",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-tde-overview?view=azuresql&tabs=azure-portal",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Sql/data-encryption.html#",
+    "https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az sql db tde set --resource-group resourceGroup --server dbServerName --database dbName --status Enabled",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Sql/data-encryption.html#",
-      "Terraform": ""
+      "CLI": "az sql db tde set --resource-group <RESOURCE_GROUP> --server <SERVER_NAME> --database <DATABASE_NAME> --status Enabled",
+      "NativeIaC": "```bicep\n// Enable TDE on an existing Azure SQL Database\nresource tde 'Microsoft.Sql/servers/databases/transparentDataEncryption@2021-11-01' = {\n  name: '<example_server_name>/<example_database_name>/current'\n  properties: {\n    state: 'Enabled' // critical: enables Transparent Data Encryption (TDE)\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to SQL databases and select the target database (not master)\n2. Under Settings, open Transparent data encryption\n3. Set Transparent data encryption to On (Enabled) and click Save",
+      "Terraform": "```hcl\nresource \"azurerm_mssql_database\" \"<example_resource_name>\" {\n  name      = \"<example_resource_name>\"\n  server_id = \"<example_resource_id>\"\n\n  transparent_data_encryption_enabled = true # critical: enables TDE\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Go to SQL databases 2. For each DB instance 3. Click on Transparent data encryption 4. Set Data encryption to On",
-      "Url": "https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql"
+      "Text": "Enable **TDE** on all Azure SQL user databases. Prefer **customer-managed keys** in Key Vault or Managed HSM for control, rotation, and revocation. Apply **least privilege** and **separation of duties** to key access, enforce via **policy**, and monitor key/audit logs. *Maintain key backups and lifecycle to prevent availability loss.*",
+      "Url": "https://hub.prowler.com/check/sqlserver_tde_encryption_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/sqlserver/sqlserver_unrestricted_inbound_access/sqlserver_unrestricted_inbound_access.metadata.json

@@ -1,30 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "sqlserver_unrestricted_inbound_access",
-  "CheckTitle": "Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)",
+  "CheckTitle": "Azure SQL Server does not have firewall rules allowing 0.0.0.0-255.255.255.255",
   "CheckType": [],
   "ServiceName": "sqlserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "critical",
-  "ResourceType": "SQLServer",
+  "ResourceType": "microsoft.sql/servers",
   "ResourceGroup": "database",
-  "Description": "Ensure that there are no firewall rules allowing traffic from 0.0.0.0-255.255.255.255",
-  "Risk": "Azure SQL servers provide a firewall that, by default, blocks all Internet connections. When the rule (0.0.0.0-255.255.255.255) is used, the server can be accessed by any source from the Internet, incrementing significantly the attack surface of the SQL Server. It is recommended to use more granular firewall rules.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview",
+  "Description": "**Azure SQL Server** server-level firewall rules are evaluated for an entry that allows the entire IPv4 space (`0.0.0.0` to `255.255.255.255`).\n\nThe finding identifies presence of this Internet-wide rule on the server firewall.",
+  "Risk": "An Internet-wide rule permits unsolicited access from any host, enabling mass scanning, brute force, and exploitation of weak configurations.\n- Confidentiality: unauthorized data access/exfiltration\n- Integrity: malicious data/DDL changes\n- Availability: resource abuse or DoS via excessive connections",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Sql/unrestricted-sql-database-access.html",
+    "https://learn.microsoft.com/en-us/azure/azure-sql/database/vnet-service-endpoint-rule-overview?view=azuresql"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az sql server firewall-rule delete --resource-group resource_group_name --server sql_server_name --name rule_name",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Sql/unrestricted-sql-database-access.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-networking-policies/bc_azr_networking_4#terraform"
+      "CLI": "az sql server firewall-rule delete --resource-group <RESOURCE_GROUP> --server <SERVER_NAME> --name <RULE_NAME>",
+      "NativeIaC": "```bicep\n// Update the firewall rule to not allow the entire Internet\nresource sqlServer 'Microsoft.Sql/servers@2021-11-01' existing = {\n  name: '<example_resource_name>'\n}\n\nresource restricted 'Microsoft.Sql/servers/firewallRules@2021-11-01' = {\n  name: '${sqlServer.name}/<example_resource_name>'\n  properties: {\n    startIpAddress: '<START_IP>' // Critical: not 0.0.0.0; restricts start IP\n    endIpAddress: '<END_IP>'     // Critical: not 255.255.255.255; restricts end IP\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to SQL servers and select your server\n2. Open Security > Networking\n3. Under Firewall rules, find any rule with Start IP 0.0.0.0 and End IP 255.255.255.255\n4. Select the rule and click Delete\n5. Click Save",
+      "Terraform": "```hcl\n# Replace any allow-all firewall rule with a restricted range\nresource \"azurerm_mssql_firewall_rule\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  server_id        = \"<example_resource_id>\"\n  start_ip_address = \"<START_IP>\" # Critical: not 0.0.0.0\n  end_ip_address   = \"<END_IP>\"   # Critical: not 255.255.255.255\n}\n```"
     },
     "Recommendation": {
-      "Text": "Remove firewall rules allowing all sources and, instead, use more granular rules",
-      "Url": ""
+      "Text": "Remove the all-open rule and enforce **least privilege**.\n- Restrict access to specific IPs/ranges\n- Prefer **private endpoints** or VNet rules to avoid Internet exposure\n- Layer controls (NSGs, Azure Firewall)\n- Avoid broad exceptions like `Allow Azure services` and never use `0.0.0.0/0`",
+      "Url": "https://hub.prowler.com/check/sqlserver_unrestricted_inbound_access"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/sqlserver/sqlserver_va_emails_notifications_admins_enabled/sqlserver_va_emails_notifications_admins_enabled.metadata.json

@@ -1,30 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "sqlserver_va_emails_notifications_admins_enabled",
-  "CheckTitle": "Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server",
+  "CheckTitle": "SQL Server has Vulnerability Assessment enabled and email notifications to subscription admins configured",
   "CheckType": [],
   "ServiceName": "sqlserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "SQLServer",
+  "ResourceType": "microsoft.sql/servers",
   "ResourceGroup": "database",
-  "Description": "Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'.",
-  "Risk": "VA scan reports and alerts will be sent to admins and subscription owners by enabling setting 'Also send email notifications to admins and subscription owners'. This may help in reducing time required for identifying risks and taking corrective measures.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment",
+  "Description": "**Azure SQL Server** Vulnerability Assessment configuration, specifically whether recurring scans are set to email results to subscription admins/owners via `Also send email notifications to admins and subscription owners`.",
+  "Risk": "Without these notifications, findings may go unnoticed, delaying fixes. Prolonged exposure of misconfigurations and weak permissions threatens data **confidentiality** and **integrity**, can affect **availability**, and slows **incident response** and audit readiness.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Sql/enable-email-alerts-for-administrators-and-subscription-owners.html",
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-enable",
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-va-setting-also-send-email-notifications-to-admins-and-subscription-owners-is-set-for-an-sql-server#terraform"
+      "CLI": "az rest --method put --url \"https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Sql/servers/<SERVER_NAME>/vulnerabilityAssessments/default?api-version=2021-11-01\" --body '{\"properties\":{\"storageContainerPath\":\"https://<STORAGE_ACCOUNT>.blob.core.windows.net/<CONTAINER>\",\"storageAccountAccessKey\":\"<STORAGE_KEY>\",\"recurringScans\":{\"isEnabled\":true,\"emailSubscriptionAdmins\":true}}}'",
+      "NativeIaC": "```bicep\n// Enable VA at server level with classic storage and email to subscription admins\nresource sqlServer 'Microsoft.Sql/servers@2021-11-01' existing = {\n  name: '<example_resource_name>'\n}\n\nresource va 'Microsoft.Sql/servers/vulnerabilityAssessments@2021-11-01' = {\n  name: 'default'\n  parent: sqlServer\n  properties: {\n    storageContainerPath: 'https://<example_resource_name>.blob.core.windows.net/<example_resource_name>' // Critical: required so the check detects VA configured\n    storageAccountAccessKey: '<example_resource_id>'\n    recurringScans: {\n      isEnabled: true\n      emailSubscriptionAdmins: true // Critical: sends scan reports to subscription admins to PASS the check\n    }\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to SQL servers and open <SERVER_NAME>\n2. Under Security, select Vulnerability assessment (classic)\n3. Select a Storage account container and click Save (ensures a storage container path)\n4. Enable Recurring scans\n5. Enable Send scan reports to subscription admins\n6. Click Save",
+      "Terraform": "```hcl\n# Enable VA at server level and email subscription admins\nresource \"azurerm_mssql_server_security_alert_policy\" \"<example_resource_name>\" {\n  server_id = \"<example_resource_id>\"\n  state     = \"Enabled\"\n}\n\nresource \"azurerm_mssql_server_vulnerability_assessment\" \"<example_resource_name>\" {\n  server_security_alert_policy_id = azurerm_mssql_server_security_alert_policy.<example_resource_name>.id\n  storage_container_path          = \"https://<example_resource_name>.blob.core.windows.net/<example_resource_name>\" # Critical: required so the check detects VA configured\n  storage_account_access_key      = \"<example_resource_id>\"\n\n  recurring_scans {\n    enabled                   = true\n    email_subscription_admins = true # Critical: sends scan reports to subscription admins to PASS the check\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Go to SQL servers 2. Select a server instance 3. Click on Security Center 4. Select Configure next to Enabled at subscription-level 5. In Section Vulnerability Assessment Settings, configure Storage Accounts if not already 6. Check/enable 'Also send email notifications to admins and subscription owners' 7. Click Save",
-      "Url": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-enable"
+      "Text": "Enable VA email alerts for admins/owners (`Also send...`) so findings reach accountable staff promptly.\n\n- Route to a monitored security group and SIEM\n- Review recipients regularly; remove stale accounts\n- Apply **least privilege** and maintain recurring scans for **defense in depth**",
+      "Url": "https://hub.prowler.com/check/sqlserver_va_emails_notifications_admins_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Enabling the Microsoft Defender for SQL features will incur additional costs for each SQL server."

prowler/providers/azure/services/sqlserver/sqlserver_va_periodic_recurring_scans_enabled/sqlserver_va_periodic_recurring_scans_enabled.metadata.json

@@ -1,30 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "sqlserver_va_periodic_recurring_scans_enabled",
-  "CheckTitle": "Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server",
+  "CheckTitle": "SQL Server has Vulnerability Assessment periodic recurring scans enabled",
   "CheckType": [],
   "ServiceName": "sqlserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "SQLServer",
+  "ResourceType": "microsoft.sql/servers",
   "ResourceGroup": "database",
-  "Description": "Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases.",
-  "Risk": "VA setting 'Periodic recurring scans' schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Periodic and regular vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment",
+  "Description": "**Azure SQL servers** are evaluated for **Vulnerability Assessment** configuration and whether **periodic recurring scans** are scheduled (e.g., weekly) for the server and its databases.\n\nServers with Vulnerability Assessment missing or scans not scheduled are identified.",
+  "Risk": "Without scheduled scans, new misconfigurations and vulnerable settings can persist unnoticed, weakening **confidentiality** and **integrity**. Attackers can exploit stale permissions, unsafe firewall rules, or unpatched features to read or alter data and pivot to other resources.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Sql/periodic-vulnerability-scans.html",
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-enable"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Sql/periodic-vulnerability-scans.html#",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-va-setting-periodic-recurring-scans-is-enabled-on-a-sql-server#terraform"
+      "CLI": "az rest --method put --url https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Sql/servers/<SERVER_NAME>/vulnerabilityAssessments/Default?api-version=2023-08-01-preview --body '{\"properties\":{\"storageContainerPath\":\"https://<STORAGE_ACCOUNT>.blob.core.windows.net/<CONTAINER>/\",\"storageAccountAccessKey\":\"<ACCESS_KEY>\",\"recurringScans\":{\"isEnabled\":true}}}'",
+      "NativeIaC": "```bicep\n// Enable classic VA with recurring scans on an existing SQL Server\nresource sqlServer 'Microsoft.Sql/servers@2023-08-01-preview' existing = {\n  name: '<example_resource_name>'\n}\n\nresource va 'Microsoft.Sql/servers/vulnerabilityAssessments@2023-08-01-preview' = {\n  name: 'Default'\n  parent: sqlServer\n  properties: {\n    storageContainerPath: 'https://<example_storage_account>.blob.core.windows.net/<example_container>/' // CRITICAL: Required so VA is considered configured\n    storageAccountAccessKey: '<example_access_key>'\n    recurringScans: {\n      isEnabled: true // CRITICAL: Enables periodic recurring scans\n    }\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to SQL servers > select <your server>\n2. Under Security, open Vulnerability assessment (classic configuration)\n3. Set Storage container to an existing blob container and Save\n4. Turn Recurring scans to On\n5. Click Save to apply",
+      "Terraform": "```hcl\n# Server VA with periodic recurring scans enabled\nresource \"azurerm_mssql_server_vulnerability_assessment\" \"<example_resource_name>\" {\n  server_security_alert_policy_id = \"<example_resource_id>\"\n  storage_container_path          = \"https://<example_storage_account>.blob.core.windows.net/<example_container>/\" # Required so VA is configured\n  storage_account_access_key      = \"<example_access_key>\"\n\n  recurring_scans {\n    enabled = true # CRITICAL: Enables periodic recurring scans\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Go to SQL servers 2. For each server instance 3. Click on Security Center 4. In Section Vulnerability Assessment Settings, set Storage Account if not already 5. Toggle 'Periodic recurring scans' to ON. 6. Click Save",
-      "Url": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-enable"
+      "Text": "Enable **recurring Vulnerability Assessment scans** at server scope and ensure results are retained securely (*express configuration or secured storage*). Apply **least privilege**, maintain baselines, and promptly remediate findings. Automate alerting and periodic reviews as part of **defense in depth** and change management.",
+      "Url": "https://hub.prowler.com/check/sqlserver_va_periodic_recurring_scans_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Enabling the Azure Defender for SQL feature will incur additional costs for each SQL server."

prowler/providers/azure/services/sqlserver/sqlserver_va_scan_reports_configured/sqlserver_va_scan_reports_configured.metadata.json

@@ -1,30 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "sqlserver_va_scan_reports_configured",
-  "CheckTitle": "Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server",
+  "CheckTitle": "SQL server has Vulnerability Assessment enabled and scan report recipients configured",
   "CheckType": [],
   "ServiceName": "sqlserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "SQLServer",
+  "ResourceType": "microsoft.sql/servers",
   "ResourceGroup": "database",
-  "Description": "Configure 'Send scan reports to' with email addresses of concerned data owners/stakeholders for a critical SQL servers.",
-  "Risk": "Vulnerability Assessment (VA) scan reports and alerts will be sent to email addresses configured at 'Send scan reports to'. This may help in reducing time required for identifying risks and taking corrective measures",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment",
+  "Description": "**Azure SQL Server** vulnerability assessment uses **recurring scans** and emails results to designated recipients. This evaluates that VA is enabled and that `Send scan reports to` (or subscription admin notifications) is configured so scan reports are delivered.",
+  "Risk": "If VA reports aren't sent to responsible owners, findings can be missed, delaying fixes. Attackers may exploit misconfigurations, excessive permissions, or outdated settings, leading to data exposure (C), unauthorized changes (I), and potential service disruption (A).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-enable",
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-va-setting-send-scan-reports-to-is-configured-for-a-sql-server#terraform"
+      "CLI": "az rest --method PUT --url \"https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Sql/servers/<SERVER_NAME>/vulnerabilityAssessments/Default?api-version=2023-08-01-preview\" --body '{\"properties\":{\"storageContainerPath\":\"https://<STORAGE_ACCOUNT>.blob.core.windows.net/<CONTAINER>\",\"storageAccountAccessKey\":\"<STORAGE_KEY>\",\"recurringScans\":{\"isEnabled\":true,\"emailSubscriptionAdmins\":true,\"emails\":[\"<EMAIL_ADDRESS>\"]}}}'",
+      "NativeIaC": "```bicep\n// Configure VA (classic) on a SQL Server and set recipients\nresource sqlServer 'Microsoft.Sql/servers@2021-11-01' existing = {\n  name: '<example_resource_name>'\n}\n\nresource va 'Microsoft.Sql/servers/vulnerabilityAssessments@2021-11-01' = {\n  name: 'Default'\n  parent: sqlServer\n  properties: {\n    storageContainerPath: 'https://<example_storage_account>.blob.core.windows.net/<example_container>' // CRITICAL: enables VA classic by setting storage container\n    storageAccountAccessKey: '<example_storage_key>'\n    recurringScans: {\n      isEnabled: true\n      emailSubscriptionAdmins: true // CRITICAL: configures scan report recipients (subscription admins)\n    }\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to SQL servers and select <your server>\n2. Under Security, open Vulnerability assessment\n3. Select a Storage account and Container, then Save\n4. In Recurring scans, turn On and enable Send to subscription admins (or add at least one email)\n5. Save",
+      "Terraform": "```hcl\n# Enable VA (classic) on a SQL Server and configure recipients\nresource \"azurerm_mssql_server_vulnerability_assessment\" \"<example_resource_name>\" {\n  server_id                = \"<example_resource_id>\"\n  storage_container_path   = \"https://<example_storage_account>.blob.core.windows.net/<example_container>\" # CRITICAL: enables VA classic by setting storage container\n  storage_account_access_key = \"<example_storage_key>\"\n\n  recurring_scans {\n    enabled                   = true\n    email_subscription_admins = true # CRITICAL: configures scan report recipients (subscription admins)\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Go to SQL servers 2. Select a server instance 3. Select Microsoft Defender for Cloud 4. Select Configure next to Enablement status 5. Set Microsoft Defender for SQL to On 6. Under Vulnerability Assessment Settings, select a Storage Account 7. Set Periodic recurring scans to On 8. Under Send scan reports to, provide email addresses for data owners and stakeholders 9. Click Save",
-      "Url": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-enable"
+      "Text": "Enable **Vulnerability Assessment**, keep **recurring scans** active, and configure `Send scan reports to` with accountable security owners or subscription admins. Integrate notifications with central alerting, apply **least privilege** to recipients, and enforce SLAs to triage and remediate findings promptly.",
+      "Url": "https://hub.prowler.com/check/sqlserver_va_scan_reports_configured"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Enabling the Microsoft Defender for SQL features will incur additional costs for each SQL server."