Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'

Enable encryption at rest for PostgreSQL Databases

Suggest Edits

Risk Level: Low
Cloud Entity: Azure Database for PostgreSQL
CloudGuard Rule ID: D9.AZU.CRY.36
Covered by Spectral: Yes
Category: Database

GSL LOGIC

PostgreSQL should have infrastructureEncryption='Enabled'

REMEDIATION

From Portal

  1. Go through the normal process of database creation.
  2. On step 2 titled 'Additional settings' ensure that 'Infrastructure double encryption enabled' is 'checked'
  3. Acknowledge that you understand this will impact database performance.
  4. Finish database creation as normal.
  5. On the final 'Review + create' screen, ensure that at the very bottom of the database properties, that 'Infrastructure (Double) encryption' is 'enabled'.

From TF
Set the 'infrastructure_encryption_enabled' to 'true':

resource "azurerm_postgresql_server" "example" {
	..
	infrastructure_encryption_enabled  = true
	..
}

From Command Line
Run

az postgres server create --resource-group RESOURCEGROUPNAME --name SERVERNAME --location LOCATION --admin-user USERNAME --admin-password PASSWORD --sku-name SKUNAME --version 11 --infrastructure-encryption 'Enabled'

Note : Configuring Infrastructure double encryption for Azure Database for PostgreSQL is only allowed during server creation.

References

  1. https://docs.microsoft.com/en-us/cli/azure/postgres/server?view=azure-cli-latest#az-postgres-server-create
  2. https://docs.microsoft.com/en-us/cli/azure/mysql/flexible-server/parameter?view=azure-cli-latest#az-mysql-flexible-server-parameter-set
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server#infrastructure_encryption_enabled

Azure Database for PostgreSQL

Azure Database for PostgreSQL is a relational database service based on the open-source Postgres database engine. It's a fully managed database as a service offering that can handle mission-critical workloads with predictable performance, security, high availability, and dynamic scalability. It's available in two deployment options, Single Server and Hyperscale (Citus) (preview). The Hyperscale (Citus) option horizontally scales queries across multiple machines using sharding, and serves applications that require greater scale and performance

Compliance Frameworks

  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset

Updated 7 months ago