Description
Enable SSL connection on PostgreSQL Servers.
Rationaleβ
SSL connectivity helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application.
Auditβ
From Azure Portalβ
- Login to Azure Portal using https://portal.azure.com.
- Go to
Azure Database for PostgreSQL server. - For each database, click on
Connection security. - In
SSLsettings, ensureEnforce SSL connectionis set toENABLED.
From Azure CLIβ
Ensure the output of the below command returns Enabled:
az postgres server show --resource-group myresourcegroup --name <resourceGroupName> --query sslEnforcement
From PowerShellβ
Ensure the output of the below command returns Enabled:
Get-AzPostgreSqlServer -ResourceGroupName <ResourceGroupName > -ServerName <ServerName> | Select-Object SslEnforcement
From Azure Policyβ
If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure.
- Policy ID: d158790f-bfb0-486c-8631-2dc6b4e8e6af - Name:
Enforce SSL connection should be enabled for PostgreSQL database servers
Default Valueβ
By default, secure connectivity is enforced, but some application frameworks may not enable it during deployment.
Referencesβ
- https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-4-enable-data-at-rest-encryption-by-default
- https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlserver?view=azps-9.2.0#example-2-get-postgresql-server-by-resource-group-and-server-name
- https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlserver?view=azps-9.2.0#example-1-update-postgresql-server-by-resource-group-and-server-name