TickYouOff
Sign in
Back
🔒

Azure SQL Managed Instance STIG Checklist

Hard 20 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist translates DISA’s Azure SQL Managed Instance STIG into practical configuration and verification tasks for administrators and compliance teams. It’s intended for DoD and federal cloud operators, security engineers, and IT staff configuring Azure SQL Managed Instance for secure, compliant operation.

Source: https://ncp.nist.gov/checklist/1316

Progress
0 / 20
  1. Obtain the official DISA STIG for Azure SQL Managed Instance — Download the latest STIG from https://cyber.mil/ or public.cyber.mil if needed.
  2. Confirm deployment is in a DoD tenant with applicable FedRAMP controls — Ensure the subscription/tenant meets DoD/FedRAMP obligations before applying STIG controls.
  3. Restrict network access using private endpoints and virtual network integration
  4. Create private endpoints and dedicated subnets for the managed instance — Use Private Link and isolated subnets to remove public exposure.
  5. Disable public endpoint and enforce virtual network-only access — Turn off public connectivity unless explicitly required and documented.
  6. Configure firewall rules to limit allowed IP ranges — Apply least-privilege IP restrictions and use service tags where appropriate.
  7. Enforce Azure AD authentication and disable SQL authentication where possible — Prefer managed identities and Azure AD logins over SQL logins.
  8. Enable multi-factor authentication for all administrative accounts — Require MFA for admin roles accessing the managed instance.
  9. Configure role-based access control and least-privilege for DB admins — Assign only required roles; avoid broad contributor permissions.
  10. Enable Transparent Data Encryption (TDE) for the managed instance — Use platform-managed keys or customer-managed keys per policy.
  11. Enforce TLS 1.2 or higher for in-transit encryption — Disable TLS 1.0/1.1 and require modern ciphers for connections.
  12. Enable managed identities for services and remove embedded credentials — Use managed identities for automated services instead of secrets.
  13. Enable auditing and send logs to Log Analytics or a SIEM — Capture admin actions, schema changes, and access events for review.
  14. Send audit logs to a Log Analytics workspace — Configure workspace or event hub integration for centralized logging.
  15. Set audit log retention per DoD policy — Apply the retention period required by your compliance mandate.
  16. Enable Advanced Threat Protection and run vulnerability assessments — Activate threat detection features and schedule scans regularly.
  17. Implement automated backups and verify restore procedures — Confirm backup retention and perform a test restore to validate.
  18. Validate patching and maintenance schedules for the managed instance — Confirm vendor and platform patches are applied per maintenance window.
  19. Configure alerting for suspicious activity and failed login attempts — Send alerts to SOC or on-call teams for rapid investigation.
  20. Review and document configuration, exceptions, and STIG change contact — Record deviations, remediation plans, and send STIG comments to DISA.
Sign in to save
📝 My Notes