🛡️ Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled🟢

• Contextual name: 🛡️ Single Server Enforce SSL Connection is not set enabled🟢
• ID: /ce/ca/azure/postgresql-database/single-server-enforce-ssl-connection
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure PostgreSQL Server
  • 🔌 Azure PostgreSQL Server - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Enable In-Transit Encryption for PostgreSQL Database Servers
• Internal: dec-x-995424b7

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-995424b7	2

Description

Open File

Description

Enable SSL connection on PostgreSQL Servers.

Rationale

SSL connectivity provides an additional layer of security by connecting the database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between the database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application.

Audit

From Azure Portal

1. Log in to Azure Portal using https://portal.azure.com.
2. Go to Azure Database for PostgreSQL server.
3. For each database, click on Connection security.
4. In SSL settings, ensure Enforce SSL connection is set to ENABLED.

From Azure CLI

Ensure the output of the following command returns Enabled:

az postgres server show \
    --resource-group {{resource-group-name}} \
    --name {{server-name}} \
    --query sslEnforcement

From PowerShell

Ensure the output of the following command returns Enabled:

Get-AzPostgreSqlServer `
    -ResourceGroupName {{resource-group-name}} `

... [see more](description.md)

Remediation

Open File

Remediation

From Azure Portal

1. Log in to Azure Portal using https://portal.azure.com.
2. Go to Azure Database for PostgreSQL server.
3. For each database, click on Connection security.
4. In SSL settings, click on ENABLED to enforce SSL connections.
5. Click Save.

From Azure CLI

Use the following command to enforce SSL connections for PostgreSQL:

az postgres server update \
    --resource-group {{resource-group-name}} \
    --name {{server-name}} \
    --ssl-enforcement Enabled

From PowerShell

Update-AzPostgreSqlServer `
    -ResourceGroupName {{resource-group-name}} `
    -ServerName {{server-name}} `
    -SslEnforcement Enabled

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).		21	22		no data
💼 CIS Azure v1.1.0 → 💼 4.13 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server		1	1		no data
💼 CIS Azure v1.3.0 → 💼 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server - Level 1 (Automated)		1	1		no data
💼 CIS Azure v1.4.0 → 💼 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server - Level 1 (Automated)		1	1		no data
💼 CIS Azure v1.5.0 → 💼 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server - Level 1 (Automated)		1	1		no data
💼 CIS Azure v2.0.0 → 💼 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server - Level 1 (Automated)		1	1		no data
💼 CIS Azure v2.1.0 → 💼 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server - Level 1 (Automated)		1	1		no data
💼 Cloudaware Framework → 💼 Data Encryption			61		no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	84		no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	37	105		no data
💼 FedRAMP High Security Controls → 💼 AC-4(4) Flow Control of Encrypted Information (H)		26	27		no data
💼 FedRAMP High Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)			21		no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	84		no data
💼 FedRAMP High Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1	8	25		no data
💼 FedRAMP High Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)		8	24		no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	43		no data
💼 FedRAMP High Security Controls → 💼 SC-23 Session Authenticity (M)(H)		7	21		no data
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1	7	36		no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84		no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			49		no data
💼 FedRAMP Low Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		25		no data
💼 FedRAMP Low Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			24		no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43		no data
💼 FedRAMP Low Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		36		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		89		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)			21		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		68		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		25		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			24		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-23 Session Authenticity (M)(H)			21		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		36		no data
💼 ISO/IEC 27001:2013 → 💼 A.10.1.1 Policy on the use of cryptographic controls		18	19		no data
💼 ISO/IEC 27001:2013 → 💼 A.14.1.3 Protecting application services transactions		10	15		no data
💼 ISO/IEC 27001:2022 → 💼 5.14 Information transfer		8	10		no data
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)		10	44		no data
💼 NIST CSF v1.1 → 💼 PR.DS-2: Data-in-transit is protected		16	53		no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	91		no data
💼 NIST CSF v1.1 → 💼 PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity		22	27		no data
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected		10	44		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			181		no data
💼 NIST CSF v2.0 → 💼 PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk			44		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			123		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(2) Information Flow Enforcement _ Processing Domains		31	33		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption		12	21		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection		8	23		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28 Protection of Information at Rest	3	17	37		no data
💼 PCI DSS v3.2.1 → 💼 2.2.4 Configure system security parameters to prevent misuse.			16		no data
💼 PCI DSS v3.2.1 → 💼 2.3 Encrypt all non-console administrative access using strong cryptography.		3	10		no data
💼 PCI DSS v3.2.1 → 💼 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.	1	8	28		no data
💼 PCI DSS v3.2.1 → 💼 8.2.1 Using strong cryptography, render all authentication credentials unreadable during transmission and storage on all system components.			14		no data
💼 PCI DSS v4.0.1 → 💼 2.2.6 System security parameters are configured to prevent misuse.			16		no data
💼 PCI DSS v4.0.1 → 💼 2.2.7 All non-console administrative access is encrypted using strong cryptography.			10		no data
💼 PCI DSS v4.0.1 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2		28		no data
💼 PCI DSS v4.0.1 → 💼 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.			14		no data
💼 PCI DSS v4.0 → 💼 2.2.6 System security parameters are configured to prevent misuse.		12	16		no data
💼 PCI DSS v4.0 → 💼 2.2.7 All non-console administrative access is encrypted using strong cryptography.		4	10		no data
💼 PCI DSS v4.0 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2	9	28		no data
💼 PCI DSS v4.0 → 💼 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.		6	14		no data
💼 SOC 2 → 💼 CC6.7-2 Uses Encryption Technologies or Secure Communication Channels to Protect Data		6	8		no data