Profile Applicability:

  • Level 1

Description:

Enable SSL connection on PostgreSQL Servers.Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). This configuration enforces that SSL is always enabled for accessing your database server. 

Rationale:

SSL connectivity helps to provide a new layer of security, by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application.

Impact:

 Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.

Default Value:

By default, the SSL connection to the database is enabled

Audit:

From Azure Console

  1. Login to Azure Portal

  2. Go to Azure Database for PostgreSQL server

  3. For each database, click on Connection security

  4. In SSL settings

  5. Ensure Enforce SSL connection is set to ENABLED.

Using Azure Command Line Interface 2.0

Ensure the output of the below command returns ENABLED.

1az postgres server show --resource-group myresourcegroup --name <resourceGroupName> --query sslEnforcement 

Remediation:

From Azure Console

  1. Login to Azure Portal 

  2. Go to Azure Database for PostgreSQL server

  3. For each database, click on Connection security

  4. In SSL settings.

  5. Click on ENABLED to Enforce SSL connection

Using Azure Command Line Interface 2.0

Use the below command to enforce ssl connection for PostgreSQL Database.

1az postgres server update --resource-group <resourceGroupName> --name <serverName> --ssl-enforcement Enabled 

Backout plan:

  1. Go to Azure Database for PostgreSQL server

  2. For each database, click on Connection security

  3. Ensure that Enforce SSL connection is DISABLED

References:

  1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection- security

  2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-data-protection#dp-4-encrypt-sensitive-information-in-transit