🛡️ Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON🟢

Contextual name: 🛡️ Flexible Server require_secure_transport Parameter is not set to ON🟢
ID: /ce/ca/azure/postgresql-database/flexible-server-require-secure-transport-parameter
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 Azure PostgreSQL Server
- 🔌 Azure PostgreSQL Server - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

Cloud Conformity: Enable In-Transit Encryption for PostgreSQL Database Servers
Internal: dec-x-995424b7

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-995424b7	2

Description

Open File

Description

Enable require_secure_transport on PostgreSQL flexible servers.

Rationale

SSL connectivity helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application.

Audit

From Azure Portal

Login to Azure Portal using https://portal.azure.com.

Go to Azure Database for PostgreSQL flexible servers.

For each database, under Settings, click Server parameters.

In the filter bar, type require_secure_transport.

Ensure that the VALUE for require_secure_transport is set to ON.

From Azure CLI

Ensure the below command returns a value of on:
az postgres flexible-server parameter show --resource-group <resourceGroup> --server-name <serverName> --name require_secure_transport
From PowerShell

Ensure the below command returns a value of on:

... see more

Remediation

Open File

Remediation

From Azure Portal

Login to Azure Portal using https://portal.azure.com.

Go to Azure Database for PostgreSQL flexible servers.

For each database, under Settings, click Server parameters.

In the filter bar, type require_secure_transport.

Set the VALUE for require_secure_transport to ON.

Click Save.

From Azure CLI

Use the below command to enable require_secure_transport:
az postgres flexible-server parameter set --resource-group <resourceGroup> --server-name <serverName> --name require_secure_transport --value on
From PowerShell
Update-AzPostgreSqlFlexibleServerConfiguration -ResourceGroupName <resourceGroup> -ServerName <serverName> -Name require_secure_transport -Value on

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 APRA CPG 234 → 💼 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).		21	22	no data
💼 CIS Azure v3.0.0 → 💼 5.2.1 Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server (Automated)			1	no data
💼 Cloudaware Framework → 💼 Data Encryption			44	no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	68	no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	36	81	no data
💼 FedRAMP High Security Controls → 💼 AC-4(4) Flow Control of Encrypted Information (H)		25	26	no data
💼 FedRAMP High Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)			17	no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	50	no data
💼 FedRAMP High Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1	8	17	no data
💼 FedRAMP High Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)		8	16	no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	24	no data
💼 FedRAMP High Security Controls → 💼 SC-23 Session Authenticity (M)(H)		7	13	no data
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1	7	24	no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			68	no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			35	no data
💼 FedRAMP Low Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		17	no data
💼 FedRAMP Low Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			16	no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			24	no data
💼 FedRAMP Low Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		24	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			68	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		66	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)			17	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		44	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		17	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			16	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			24	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-23 Session Authenticity (M)(H)			13	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		24	no data
💼 ISO/IEC 27001:2013 → 💼 A.10.1.1 Policy on the use of cryptographic controls		18	19	no data
💼 ISO/IEC 27001:2013 → 💼 A.14.1.3 Protecting application services transactions		10	15	no data
💼 ISO/IEC 27001:2022 → 💼 5.14 Information transfer		8	10	no data
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)		10	44	no data
💼 NIST CSF v1.1 → 💼 PR.DS-2: Data-in-transit is protected		16	53	no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	91	no data
💼 NIST CSF v1.1 → 💼 PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity		22	27	no data
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected		10	44	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			142	no data
💼 NIST CSF v2.0 → 💼 PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk			44	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			148	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			125	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			142	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			95	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(2) Information Flow Enforcement _ Processing Domains		30	32	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption		12	17	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection		8	15	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28 Protection of Information at Rest	3	16	25	no data
💼 PCI DSS v3.2.1 → 💼 2.2.4 Configure system security parameters to prevent misuse.			16	no data
💼 PCI DSS v3.2.1 → 💼 2.3 Encrypt all non-console administrative access using strong cryptography.		3	9	no data
💼 PCI DSS v3.2.1 → 💼 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.	1	8	22	no data
💼 PCI DSS v3.2.1 → 💼 8.2.1 Using strong cryptography, render all authentication credentials unreadable during transmission and storage on all system components.			14	no data
💼 PCI DSS v4.0.1 → 💼 2.2.6 System security parameters are configured to prevent misuse.			16	no data
💼 PCI DSS v4.0.1 → 💼 2.2.7 All non-console administrative access is encrypted using strong cryptography.			9	no data
💼 PCI DSS v4.0.1 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2		22	no data
💼 PCI DSS v4.0.1 → 💼 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.			14	no data
💼 PCI DSS v4.0 → 💼 2.2.6 System security parameters are configured to prevent misuse.		12	16	no data
💼 PCI DSS v4.0 → 💼 2.2.7 All non-console administrative access is encrypted using strong cryptography.		4	9	no data
💼 PCI DSS v4.0 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2	9	22	no data
💼 PCI DSS v4.0 → 💼 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.		6	14	no data
💼 SOC 2 → 💼 CC6.7-2 Uses Encryption Technologies or Secure Communication Channels to Protect Data		6	8	no data

Logic​

Similar Policies​

Similar Internal Rules​

Description​

Description​

Rationale​

Audit​

From Azure Portal​

From Azure CLI​

From PowerShell​

Remediation​

Remediation​

From Azure Portal​

From Azure CLI​

From PowerShell​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Similar Internal Rules

Description

Description

Rationale

Audit

From Azure Portal

From Azure CLI

From PowerShell

Remediation

Remediation

From Azure Portal

From Azure CLI

From PowerShell

policy.yaml

Linked Framework Sections