Profile Applicability:

  • Level 1

Description:
 Enforcing SSL connections ensures that MySQL servers require encrypted communication for data exchange, protecting data in transit from interception or tampering. This is critical for securing sensitive information.

Rationale:
 Enforcing SSL for MySQL servers adds an extra layer of security by ensuring all communications between the database server and client are encrypted, preventing "man-in-the-middle" attacks and data leakage.

Impact:

  • Pros:

    • Ensures encrypted communication, improving security.

    • Helps in meeting compliance standards (e.g., PCI DSS).

    • Prevents unauthorized interception of data in transit.

  • Cons:

    • Some applications may need additional configuration to support SSL connections.

    • Enabling SSL can have a small performance overhead due to encryption/decryption operations.

Default Value:

By default, SSL enforcement is not enabled when provisioning a MySQL database server.

Pre-requisites:
 Ensure that your MySQL client supports SSL connections and has valid certificates configured.

Remediation

Test Plan:

Using Azure Portal:

  1. Log in to the Azure Portal: https://portal.azure.com.

  2. Navigate to Azure Database for MySQL servers.

  3. For each server, click on Connection security.

  4. Under SSL settings, ensure that Enforce SSL connection is set to Enabled.

Using Azure CLI:

1. Run the following command to check the SSL enforcement status:

az mysql server show --resource-group <resourceGroupName> --name <serverName> --query sslEnforcement

  • The output should show that sslEnforcement is set to Enabled.

Implementation Plan:

Using Azure Portal:

  1. Go to Azure Database for MySQL servers.

  2. Select the desired database server.

  3. Under Connection security, click SSL settings.

  4. Ensure Enforce SSL connection is set to Enabled.

Using Azure CLI:
1.  To enable SSL connection enforcement, run

az mysql server update --resource-group <resourceGroupName> --name <serverName> --ssl-enforcement Enabled


Backout Plan:

Using Azure Portal:

  1. Go to Azure Database for MySQL servers.

  2. Under Connection security, disable the Enforce SSL connection setting if necessary.

Using Azure CLI:
1.  To disable SSL connection enforcement, run:

az mysql server update --resource-group <resourceGroupName> --name <serverName> --ssl-enforcement Disabled


References: