Profile Applicability:
Level 1
Description:
Enable SSL connection on PostgreSQL Servers.Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). This configuration enforces that SSL is always enabled for accessing your database server.
Rationale:
SSL connectivity helps to provide a new layer of security, by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application.
Impact:
Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application.
Default Value:
By default, the SSL connection to the database is enabled
Audit:
From Azure Console
Login to Azure Portal
Go to Azure Database for PostgreSQL server
For each database, click on Connection security
In SSL settings
Ensure Enforce SSL connection is set to ENABLED.
Using Azure Command Line Interface 2.0
Ensure the output of the below command returns ENABLED.
1az postgres server show --resource-group myresourcegroup --name <resourceGroupName> --query sslEnforcement
Remediation:
From Azure Console
Login to Azure Portal
Go to Azure Database for PostgreSQL server
For each database, click on Connection security
In SSL settings.
Click on ENABLED to Enforce SSL connection
Using Azure Command Line Interface 2.0
Use the below command to enforce ssl connection for PostgreSQL Database.
1az postgres server update --resource-group <resourceGroupName> --name <serverName> --ssl-enforcement Enabled
Backout plan:
Go to Azure Database for PostgreSQL server
For each database, click on Connection security
Ensure that Enforce SSL connection is DISABLED