Skip to main content

πŸ“ Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled 🟒

  • Contextual name: πŸ“ Single Server Enforce SSL Connection is not set enabled 🟒
  • ID: /ce/ca/azure/postgresql-database/single-server-enforce-ssl-connection
  • Located in: πŸ“ Azure PostgreSQL Database

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-995424b72

Logic​

Description​

Open File

Description​

Enable SSL connection on PostgreSQL Servers.

Rationale​

SSL connectivity helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application.

Audit​

From Azure Portal​
  1. Login to Azure Portal using https://portal.azure.com.
  2. Go to Azure Database for PostgreSQL server.
  3. For each database, click on Connection security.
  4. In SSL settings, ensure Enforce SSL connection is set to ENABLED.
From Azure CLI​

Ensure the output of the below command returns Enabled:

az postgres server show --resource-group myresourcegroup --name <resourceGroupName> --query sslEnforcement
From PowerShell​

Ensure the output of the below command returns Enabled:

Get-AzPostgreSqlServer -ResourceGroupName <ResourceGroupName > -ServerName <ServerName> | Select-Object SslEnforcement

... [see more](description.md)

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Login to Azure Portal using https://portal.azure.com.
  2. Go to Azure Database for PostgreSQL server.
  3. For each database, click on Connection security.
  4. In SSL settings, click on ENABLED to enforce SSL connections.
  5. Click Save.

From Azure CLI​

Use the below command to enforce ssl connection for PostgreSQL Database:

az postgres server update --resource-group <resourceGroupName> --name <serverName> --ssl-enforcement Enabled

From PowerShell​

Update-AzPostgreSqlServer -ResourceGroupName <ResourceGroupName > -ServerName <ServerName> -SslEnforcement Enabled

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).1718
πŸ’Ό CIS Azure v1.1.0 β†’ πŸ’Ό 4.13 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server11
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server - Level 1 (Automated)11
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server - Level 1 (Automated)11
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server - Level 1 (Automated)11
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server - Level 1 (Automated)11
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server - Level 1 (Automated)11
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption31
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3747
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)23165
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(4) Flow Control of Encrypted Information (H)2021
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)13
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)10633
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)1610
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)610
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1316
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-23 Session Authenticity (M)(H)57
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1717
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)23
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)110
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)10
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)16
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)117
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)151
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)13
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)729
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)110
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)10
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)16
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-23 Session Authenticity (M)(H)7
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)117
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.1 Policy on the use of cryptographic controls1415
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.14.1.3 Protecting application services transactions78
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.14 Information transfer89
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)713
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-2: Data-in-transit is protected1421
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4351
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity1819
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-4: Communications and control networks are protected713
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events89
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk13
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected82
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected69
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected67
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage40
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains2527
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption1113
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection810
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31518
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.3 Encrypt all non-console administrative access using strong cryptography.34
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.169
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.2.7 All non-console administrative access is encrypted using strong cryptography.4
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.29
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.2.7 All non-console administrative access is encrypted using strong cryptography.4
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.29