Microsoft AzureOverview
Enable SSL connection on Standard MySQL Database servers.
Rationale
SSL connectivity helps to provide a new layer of security, by connecting the database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against "man-in-the-middle" attacks by encrypting the data stream between the server and application.
Remediation guidance
From Azure Console
- Go to
Azure Database for MySQL servers - For each
Azure Database for MySQL single server, underSettings, selectConnection security - Under the
SSL settingsheader, click onENABLEDforEnforce SSL connection
Using Azure Command Line
Use the below command to set MYSQL Databases to Enforce SSL connection.
az mysql server update --resource-group <resourceGroupName> --name <serverName> --ssl-enforcement Enabled
References:
- https://learn.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security
- https://learn.microsoft.com/en-us/azure/mysql/howto-configure-ssl
- https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-3-encrypt-sensitive-data-in-transit
Multiple Remediation Paths
Azure
SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.
PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.
References for Service-Wide Patterns
- Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
- Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
- Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
Connectors
Covered asset types
Expected check: eq []
{mySqlServers(where:{sslEnforcement_MATCHES:"(?i)^((?!enabled).)*$"},){...AssetFragment}}
