Control: 5.2.1 Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server
Description
Enable require_secure_transport on PostgreSQL flexible servers.
SSL connectivity helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application.
Remediation
From Azure Portal
- Login to Azure Portal using https://portal.azure.com.
- Go to
Azure Database for PostgreSQL flexible servers. - For each database, under
Settings, clickServer parameters. - In the filter bar, type
require_secure_transport. - Set the
VALUEforrequire_secure_transporttoON. - Click
Save.
From Azure CLI
Use the below command to enable require_secure_transport:
az postgres flexible-server parameter set --resource-group <resourceGroup> --server-name <serverName> --name require_secure_transport --value on
From PowerShell
Update-AzPostgreSqlFlexibleServerConfiguration -ResourceGroupName <resourceGroup> -ServerName <serverName> -Name require_secure_transport -Value on
Default Value
By default, secure connectivity is enforced, but some application frameworks may not enable it during deployment.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v300_5_2_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v300_5_2_1 --shareSQL
This control uses a named query:
postgres_sql_flexible_server_ssl_enabled