Skip to main content

Description

Enable SSL connection on PostgreSQL Servers.

Rationale​

SSL connectivity provides an additional layer of security by connecting the database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between the database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application.

Audit​

From Azure Portal​

  1. Log in to Azure Portal using https://portal.azure.com.
  2. Go to Azure Database for PostgreSQL server.
  3. For each database, click on Connection security.
  4. In SSL settings, ensure Enforce SSL connection is set to ENABLED.

From Azure CLI​

Ensure the output of the following command returns Enabled:

az postgres server show \
    --resource-group {{resource-group-name}} \
    --name {{server-name}} \
    --query sslEnforcement

From PowerShell​

Ensure the output of the following command returns Enabled:

Get-AzPostgreSqlServer `
    -ResourceGroupName {{resource-group-name}} `
    -ServerName {{server-name}} |
    Select-Object SslEnforcement

From Azure Policy​

If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure.

Default Value​

By default, secure connectivity is enforced, but some application frameworks may not enable it during deployment.

References​

  1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security
  2. https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-4-enable-data-at-rest-encryption-by-default
  3. https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlserver?view=azps-9.2.0#example-2-get-postgresql-server-by-resource-group-and-server-name
  4. https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlserver?view=azps-9.2.0#example-1-update-postgresql-server-by-resource-group-and-server-name