Control: 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server

Description

Enable SSL connection on PostgreSQL Servers.

SSL connectivity helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application.

Remediation

From Azure Portal

Login to Azure Portal using https://portal.azure.com
Go to Azure Database for PostgreSQL server.
For each database, click on Connection security.
In SSL settings, click on ENABLED to enforce SSL connections.
Click Save.

From Azure CLI

Use the below command to enforce ssl connection for PostgreSQL Database.

az postgres server update --resource-group <resourceGroupName> --name
<serverName> --ssl-enforcement Enabled

From PowerShell

Update-AzPostgreSqlServer -ResourceGroupName <ResourceGroupName > -ServerName <ServerName> -SslEnforcement Enabled

Default Value

By default, secure connectivity is enforced, but some application frameworks may not enable it during deployment.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v200_4_3_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v200_4_3_1 --share

SQL

This control uses a named query:

select
  s.id as resource,
  case
    when ssl_enforcement = 'Disabled' then 'alarm'
    else 'ok'
  end as status,
  case
    when ssl_enforcement = 'Disabled' then name || ' SSL connection disabled.'
    else name || ' SSL connection enabled.'
  end as reason
  
  , s.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_postgresql_server s
  left join azure_subscription as sub on sub.subscription_id = s.subscription_id;