Benchmark: PostgreSQL
Description
This section contains recommendations for configuring PostgreSQL resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select PostgreSQL.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.all_controls_postgresSnapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.all_controls_postgres --shareControls
- Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
- Geo-redundant backup should be enabled for Azure Database for PostgreSQL
- PostgreSQL servers should have the latest TLS version
- Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
- Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
- Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
- Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server
- Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
- Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled
- Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible Server
- Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible Server
- Ensure Server Parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible Server
- Private endpoint should be enabled for PostgreSQL servers
- Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server
- PostgreSQL servers should use customer-managed keys to encrypt data at rest
- Enforce SSL connection should be enabled for PostgreSQL database servers
- Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers
- Public network access should be disabled for PostgreSQL servers