Skip to main content

πŸ›‘οΈ Azure PostgreSQL Flexible Server connection_throttle.enable Parameter is not set to ON🟒

  • Contextual name: πŸ›‘οΈ Flexible Server connection_throttle.enable Parameter is not set to ON🟒
  • ID: /ce/ca/azure/postgresql-database/flexible-server-connection-throttle-enable-parameter
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY, RELIABILITY, PERFORMANCE

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-850beea81

Description​

Open File

Description​

Enable connection throttling on PostgreSQL flexible servers.

Rationale​

Enabling connection_throttling helps PostgreSQL limit concurrent connections that could lead to a Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.

Audit​

From Azure Portal​
  1. Log in to Azure Portal using https://portal.azure.com.
  2. Go to Azure Database for PostgreSQL flexible servers.
  3. For each database, under Settings, click Server parameters.
  4. In the filter bar, type connection_throttle.enable.
  5. Ensure that VALUE for connection_throttle.enable is set to ON.
From Azure CLI​

Ensure the following command returns a value of ON:

az postgres flexible-server parameter show \
    --resource-group {{resource-group-name}} \
    --server-name {{server-name}} \
    --name connection_throttle.enable

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Log in to Azure Portal using https://portal.azure.com.
  2. Go to Azure Database for PostgreSQL flexible servers.
  3. For each database, under Settings, click Server parameters.
  4. Search for connection_throttle.enable.
  5. Set connection_throttle.enable to ON.
  6. Click Save.

From Azure CLI​

Use the following command to enable connection_throttle.enable:

az postgres flexible-server parameter set \
    --resource-group {{resource-group-name}} \
    --server-name {{server-name}} \
    --name connection_throttle.enable \
    --value on

From PowerShell​

Use the following command to update connection_throttle.enable:

Update-AzPostgreSqlFlexibleServerConfiguration `
    -ResourceGroupName {{resource-group-name}} `
    -ServerName {{server-name}} `
    -Name connection_throttle.enable `
    -Value on

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS Azure v1.1.0 β†’ πŸ’Ό 4.17 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server11no data
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 4.3.6 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server - Level 1 (Automated)11no data
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 5.2.3 Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration75no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-9 System Backup (L)(M)(H)5414no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4 System Monitoring (L)(M)(H)145062no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(4) Inbound and Outbound Communications Traffic (M)(H)68no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CP-9 System Backup (L)(M)(H)12no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SI-4 System Monitoring (L)(M)(H)10no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CP-9 System Backup (L)(M)(H)214no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-4 System Monitoring (L)(M)(H)713no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-4(4) Inbound and Outbound Communications Traffic (M)(H)8no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.17.1.2 Implementing information security continuity33no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.15 Logging1834no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.20 Networks security514no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed1034no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-2: Detected events are analyzed to understand attack targets and methods1824no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-3: Event data are collected and correlated from multiple sources and sensors1838no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-4: Impact of events is determined1314no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-1: The network is monitored to detect potential cybersecurity events1863no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-5: Unauthorized mobile code is detected1112no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events67no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed1824no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-2: Detection activities comply with all applicable requirements67no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-3: Detection processes are tested1314no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-4: Event detection information is communicated2933no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-5: Detection processes are continuously improved1316no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.BE-4: Dependencies and critical functions for delivery of critical services are established3no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)33no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.RA-1: Asset vulnerabilities are identified and documented1316no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-4: Backups of information are conducted, maintained, and tested48no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-8: Effectiveness of protection technologies is shared67no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed33no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations33no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.AN-1: Notifications from detection systems are investigated1824no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-02: Potentially adverse events are analyzed to better understand associated activities50no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources65no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-04: The estimated impact and scope of adverse events are understood14no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-06: Information on adverse events is provided to authorized staff and tools33no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis38no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events180no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events100no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-06: External service provider activities and services are monitored to find potentially adverse events50no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events181no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.OC-04: Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated3no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.OC-05: Outcomes, capabilities, and services that the organization depends on are understood and communicated3no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained89no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties59no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities60no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-04: Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved3no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded46no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-11: Backups of data are created, protected, maintained, and tested15no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations21no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.MA-02: Incident reports are triaged and validated25no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC4.2-3 Monitors Corrective Action66no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC5.2-3 Establishes Relevant Security Management Process Controls Activities1536no data