Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server

SSL connectivity helps to provide a new layer of security, by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and application.

Risk Level: High
Cloud Entity: Azure Database for PostgreSQL
CloudGuard Rule ID: D9.AZU.CRY.17
Covered by Spectral: Yes
Category: Database

GSL LOGIC

PostgreSQL should have sslEnforcement='Enabled'

REMEDIATION

From Portal

  1. Go to 'PostgreSQL server' from Azure Management console and choose your PostgreSQL database server that you want to examine.
  2. In the navigation panel, under Settings, select Connection security.
  3. On the Connection security configuration page, under SSL settings section, select ENABLED next to Enforce SSL connection setting.
  4. Click Save.

From TF
Set the 'ssl_enforcement_enabled' to 'true':

resource 'azurerm_postgresql_server' 'example' {
	..
	ssl_enforcement_enabled = true
	..
}

From Command Line
Run

az postgres server update --name SERVERNAME --resource-group RESOURCEGROUPNAME --ssl-enforcement Enabled

References

  1. https://docs.microsoft.com/en-us/cli/azure/postgres/server?view=azure-cli-latest#az-postgres-server-update
  2. https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server

Azure Database for PostgreSQL

Azure Database for PostgreSQL is a relational database service based on the open-source Postgres database engine. It's a fully managed database as a service offering that can handle mission-critical workloads with predictable performance, security, high availability, and dynamic scalability. It's available in two deployment options, Single Server and Hyperscale (Citus) (preview). The Hyperscale (Citus) option horizontally scales queries across multiple machines using sharding, and serves applications that require greater scale and performance

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset
  • Microsoft Cloud Security Benchmark