Control: 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
Description
It is recommended to enable SSL connection on PostgreSQL Servers. SSL connectivity helps to provide a new layer of security, by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against attacks by encrypting the data stream between the server and application.
Remediation
From Console
- Login to Azure console and navigate to PostgreSQL Servers.
- For each database, go to
Settingssection from left pane. - Click on
Connection securityand go toSSL settings. - For
Enforce SSL connection, click on ENABLED.
From Command Line
Enable enforce ssl connection for PostgreSQL Database
az postgres server update --resource-group <resourceGroupName> --name <serverName> --ssl-enforcement Enabled
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v140_4_3_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v140_4_3_1 --shareSQL
This control uses a named query:
select s.id as resource, case when ssl_enforcement = 'Disabled' then 'alarm' else 'ok' end as status, case when ssl_enforcement = 'Disabled' then name || ' SSL connection disabled.' else name || ' SSL connection enabled.' end as reason , s.resource_group as resource_group , sub.display_name as subscriptionfrom azure_postgresql_server s, azure_subscription subwhere sub.subscription_id = s.subscription_id;