Description:

Azure Database for PostgreSQL supports encrypted connections using SSL or TLS. Enabling Enforce SSL Connection ensures that all client traffic to the PostgreSQL server is encrypted and protects data in transit. When this setting is enabled, insecure non-SSL connections are blocked, preventing exposure of credentials, queries, and sensitive data. This control checks whether Enforce SSL Connection is configured as Enabled on the PostgreSQL server.


Rationale:

If SSL enforcement is disabled, database connections may occur over plaintext, exposing data to interception and allowing potential man-in-the-middle attacks. This may violate compliance standards such as CIS, PCI, NIST, and ISO. Enforcing SSL ensures secure communication, protects authentication information, and reduces the risk of network-based attacks.


Impact:

  • Ensures all data-in-transit is encrypted

  • Prevents plaintext authentication and query traffic

  • Strengthens compliance posture

  • Protects against MITM and eavesdropping attacks


Default Value:

Enforce SSL Connection is enabled by default for Azure Database for PostgreSQL, but it can be manually disabled.


Pre-Requisites:

  • Access to PostgreSQL Server configuration

  • Permissions:

    • Microsoft.DBforPostgreSQL/servers/read

    • Microsoft.DBforPostgreSQL/servers/write


Test Plan :

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Search for and open Azure Database for PostgreSQL – Flexible Server

  3. Select the target PostgreSQL server

  4. From the left menu, under settings, select Server parameters

  5. Search for the parameter require_secure_transport

  6. Verify require_secure_transport is set to ON

  7. Confirm that SSL/TLS is enforced for all client connections

  8. If require_secure_transport is not set to ON, follow the implementation steps


Implementation Steps :

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Search for and open the PostgreSQL Flexible Server

  1. From the left menu, under settings, select Server parameters

                          

  1. Search for the parameter require_secure_transport

  2. Set require_secure_transport to ON

  1. Click Save to apply the changes

Backout Plan:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Open Azure Database for PostgreSQL Flexible Server

  3. Select the target PostgreSQL server

  4. Navigate to Server parameters

  5. Locate require_secure_transport

  6. Set require_secure_transport to OFF

  7. Click Save to revert the change


Reference: