MySQL flexible server has audit_log_events including CONNECTION
mysql_flexible_server_audit_log_connection_activated
Azure Database for MySQL Flexible Server audit configuration includes the CONNECTION event in audit_log_events.
Risk
Without CONNECTION auditing, login attempts are invisible, weakening detection of brute-force, credential stuffing, and anomalous access. This enables unnoticed account takeover and lateral movement, impacting confidentiality and integrity, and hinders forensics and timely response.
prowler azure --checks mysql_flexible_server_audit_log_connection_activated
Recommendation
Include CONNECTION in audit_log_events to capture login activity. Centralize and retain audit logs, restrict access by least privilege, and protect logs from tampering. Monitor for anomalous sign-in patterns and alert. Pair with defense-in-depth controls (MFA, network allow-listing) to reduce exposure.
Remediation
az mysql flexible-server parameter set --resource-group <RESOURCE_GROUP> --server-name <SERVER_NAME> --name audit_log_events --value CONNECTION
- In the Azure Portal, go to Azure Database for MySQL flexible server
- Select your server, then go to Server parameters
- Search for audit_log_events
- Set its value to CONNECTION
- Click Save
Source Code
Resource Type
microsoft.dbformysql/flexibleservers