⭐ Repository → 📁 Compliance Engine → 📁 CloudAware → 📁 Azure → 📁 PostgreSQL Database

🛡️ Azure PostgreSQL Single Server Infrastructure Double Encryption is not enabled🟢

Contextual name: 🛡️ Single Server Infrastructure Double Encryption is not enabled🟢
ID: /ce/ca/azure/postgresql-database/single-server-infrastructure-double-encryption
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: BEST_PRACTICE
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 Azure PostgreSQL Server
- 🔌 Azure PostgreSQL Server - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

Cloud Conformity: Enable Infrastructure Double Encryption for Single Servers
Internal: dec-x-6ed26167

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-6ed26167	1

Description

Open File

Description

Azure Database for PostgreSQL servers should be created with 'infrastructure double encryption' enabled.

NOTE: This recommendation currently only applies to Single Server, not Flexible Server. See additional information below for details about the planned retirement of Azure PostgreSQL Single Server.

Rationale

If Double Encryption is enabled, another layer of encryption is implemented at the hardware level before the storage or network level. Information will be encrypted before it is even accessed, preventing both interception of data in motion if the network layer encryption is broken and data at rest in system resources such as memory or processor cache. Encryption will also be in place for any backups taken of the database, so the key will secure access the data in all forms. For the most secure implementation of key based encryption, it is recommended to use a Customer Managed asymmetric RSA 2048 Key in Azure Key Vault.

Impact

The read and write speeds to the database will be impacted if both default encryption and Infrastructure Encryption are checked, as a secondary form of encryption requires more resource overhead for the cryptography of information. This cost is justified for information security. Customer managed keys are recommended for the most secure implementation, leading to overhead of key management. The key will also need to be backed up in a secure location, as loss of the key will mean loss of the information in the database.

... see more

Remediation

Open File

Remediation

It is not possible to enable infrastructure double encryption on an existing Azure Database for PostgreSQL server. The remediation steps detail the creation of a new Azure Database for PostgreSQL server with infrastructure double encryption enabled.

From Azure Portal

Go through the normal process of database creation.

On step 2 titled Additional settings ensure that Infrastructure double encryption enabled is checked.

Acknowledge that you understand this will impact database performance.

Finish database creation as normal.

From Azure CLI
az postgres server create --resource-group <resourcegroup> --name <servername> --location <location> --admin-user <adminusername> --admin-password <server_admin_password> --sku-name GP_Gen4_2 --version 11 --infrastructure-encryption Enabled

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 APRA CPG 234 → 💼 52c appropriate encryption, cleansing and auditing of devices;		9	9	no data
💼 APRA CPG 234 → 💼 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).		21	22	no data
💼 CIS Azure v1.4.0 → 💼 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' - Level 1 (Automated)		1	1	no data
💼 CIS Azure v1.5.0 → 💼 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' - Level 1 (Automated)		1	1	no data
💼 CIS Azure v2.0.0 → 💼 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' - Level 1 (Automated)		1	1	no data
💼 CIS Azure v2.1.0 → 💼 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' - Level 1 (Automated)		1	1	no data
💼 CIS Azure v3.0.0 → 💼 5.2.8 [LEGACY] Ensure 'Infrastructure double encryption' for PostgreSQL single server is 'Enabled' (Automated)			1	no data
💼 Cloudaware Framework → 💼 Data Encryption			42	no data
💼 FedRAMP High Security Controls → 💼 AC-4(4) Flow Control of Encrypted Information (H)		25	26	no data
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1	7	24	no data
💼 FedRAMP High Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)		5	14	no data
💼 FedRAMP Low Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		24	no data
💼 FedRAMP Low Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			14	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		24	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			14	no data
💼 ISO/IEC 27001:2013 → 💼 A.10.1.1 Policy on the use of cryptographic controls		18	19	no data
💼 ISO/IEC 27001:2013 → 💼 A.14.1.2 Securing application services on public networks		5	5	no data
💼 ISO/IEC 27001:2013 → 💼 A.14.1.3 Protecting application services transactions		10	14	no data
💼 ISO/IEC 27001:2022 → 💼 5.33 Protection of records		10	15	no data
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)		10	22	no data
💼 NIST CSF v1.1 → 💼 PR.DS-2: Data-in-transit is protected		16	31	no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	66	no data
💼 NIST CSF v1.1 → 💼 PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity		22	26	no data
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected		10	22	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			137	no data
💼 NIST CSF v2.0 → 💼 PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk			22	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			117	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			97	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			111	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			69	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(2) Information Flow Enforcement _ Processing Domains		30	32	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28 Protection of Information at Rest	3	16	25	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28(1) Protection of Information at Rest _ Cryptographic Protection		10	14	no data
💼 PCI DSS v3.2.1 → 💼 2.3 Encrypt all non-console administrative access using strong cryptography.		3	8	no data
💼 PCI DSS v3.2.1 → 💼 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.	1	8	21	no data
💼 PCI DSS v3.2.1 → 💼 4.2 Never send unprotected PANs by enduser messaging technologies.			4	no data
💼 PCI DSS v3.2.1 → 💼 8.2.1 Using strong cryptography, render all authentication credentials unreadable during transmission and storage on all system components.			14	no data
💼 PCI DSS v4.0.1 → 💼 2.2.7 All non-console administrative access is encrypted using strong cryptography.			8	no data
💼 PCI DSS v4.0.1 → 💼 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.			13	no data
💼 PCI DSS v4.0.1 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2		21	no data
💼 PCI DSS v4.0.1 → 💼 4.2.2 PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies.			4	no data
💼 PCI DSS v4.0.1 → 💼 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.			14	no data
💼 PCI DSS v4.0 → 💼 2.2.7 All non-console administrative access is encrypted using strong cryptography.		4	8	no data
💼 PCI DSS v4.0 → 💼 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.		8	13	no data
💼 PCI DSS v4.0 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2	9	21	no data
💼 PCI DSS v4.0 → 💼 4.2.2 PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies.		3	4	no data
💼 PCI DSS v4.0 → 💼 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.		6	14	no data

Logic​

Similar Policies​

Similar Internal Rules​

Description​

Description​

Rationale​

Impact​

Remediation​

Remediation​

From Azure Portal​

From Azure CLI​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Similar Internal Rules

Description

Description

Rationale

Impact

Remediation

Remediation

From Azure Portal

From Azure CLI

policy.yaml

Linked Framework Sections