iCompaas Support

Profile Applicability:

• Level 1
  

Description:
 SSL connections should be enforced on PostgreSQL servers to secure data transmission. Enforcing SSL helps protect against man-in-the-middle attacks by ensuring that all traffic between the database server and client applications is encrypted.

Rationale:
 By enforcing SSL, the data exchanged between the PostgreSQL server and clients is protected from eavesdropping and tampering. This ensures that sensitive data is encrypted during transit, which is vital for maintaining confidentiality and integrity.

Impact:

• Pros:
  

  • Enhances data security by ensuring encrypted communication.
    

  • Mitigates the risk of man-in-the-middle attacks.
    

  • Helps meet compliance requirements such as PCI-DSS.
    

• Cons:
  

  • Some applications may require additional configuration to support SSL connections.
    

  • Enabling SSL may introduce a small performance overhead due to encryption.
    

Default Value:

By default, SSL enforcement is not enabled on new PostgreSQL database servers in Azure.

Pre-requisites:

• Ensure that clients interacting with the PostgreSQL server are configured to support SSL connections.
  

• The appropriate SSL certificates must be in place.
  

Remediation

Test Plan:

Using Azure Portal:

1. Log in to the Azure Portal: https://portal.azure.com.
   

2. Go to Azure Database for PostgreSQL Servers.
   

3. Select the desired database.
   

4. Under Connection security, ensure that Enforce SSL connection is set to Enabled.
   

Using Azure CLI:
1. Run the following command to verify if SSL connection enforcement is enabled:

az postgres server show --resource-group <resource-group-name> --name <server-name> --query sslEnforcement

• The output should indicate Enabled.
  

Implementation Plan:

Using Azure Portal:

1. Log in to the Azure Portal.
   

2. Navigate to Azure Database for PostgreSQL Servers.
   

3. Select the server and go to Connection security.
   

4. Set Enforce SSL connection to Enabled and click Save.
   

Using Azure CLI:
1. To enforce SSL connection, use the following command:

az postgres server update --resource-group <resource-group-name> --name <server-name> --ssl-enforcement Enabled

Backout Plan:

Using Azure Portal:

1. Go to Azure Database for PostgreSQL Servers.
   

2. Under Connection security, disable Enforce SSL connection if necessary.
   

Using Azure CLI:
 1. To disable SSL enforcement, use the following command

az postgres server update --resource-group <resource-group-name> --name <server-name> --ssl-enforcement Disabled

References:

• Azure PostgreSQL SSL Connection Security
  

• CIS Microsoft Azure Database Services Benchmark