|   Trend Micro Cloud One™
Open menu

Enable In-Transit Encryption for PostgreSQL Database Servers

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 03 February 2020
Risk level: High (not acceptable risk)

Ensure that Microsoft Azure PostgreSQL server data is encrypted in transit in order to meet security and compliance requirements. In-transit encryption helps prevent unauthorized users from getting access to critical data available in your Azure PostgreSQL databases.

Security

When working with production data, it is strongly recommended to encrypt all sensitive information in transit by enforcing Secure Sockets Layer (SSL) connections between PostgreSQL database servers and client applications. Once enabled, this additional layer of security will protect your data against Man-In-the-Middle (MITM) attacks and fulfill compliance requirements for in-transit encryption within your company.

Audit

To determine in-transit encryption configuration for your Azure PostgreSQL database servers, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Azure Database for PostgreSQL server to list the PostgreSQL servers available within your Azure account.

04 Click on the name of the PostgreSQL database server that you want to examine.

05 In the navigation panel, under Settings, select Connection security to access the connection security settings for the selected PostgreSQL server.

06 On the Connection security configuration page, in the SSL settings section, check the Enforce SSL connection status. If the setting status is set to DISABLED, in-transit encryption is not enabled for the selected Microsoft Azure PostgreSQL server.

07 Repeat steps no. 4 – 6 for each PostgreSQL database server available in the current Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure PowerShell

01 Run postgres server list command (Windows/macOS/Linux) using custom query filters to list the names of all PostgreSQL database servers (and the name of their associated resource groups) available in the current Azure subscription:

az postgres server list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return a table with requested PostgreSQL server information:

Name                  ResourceGroup
--------------------  ------------------------------
cc-production-server  cloud-shell-storage-westeurope
cc-postgresql-server  cloud-shell-storage-westeurope

03 Run postgres server show command (Windows/macOS/Linux) using the name of the Azure PostgreSQL server that you want to examine as identifier parameter and custom query filters to obtain the "Enforce SSL connection" setting status for the selected database server:

az postgres server show
	--name "cc-production-server"
	--resource-group "cloud-shell-storage-westeurope"
	--query sslEnforcement

04 The command output should return the requested configuration setting status:

"Disabled"

If postgres server show command output returns "Disabled", as shown in the example above, the encryption in transit using SSL is not enabled for the selected Microsoft Azure PostgreSQL database server.

05 Repeat step no. 3 and 4 for each Azure PostgreSQL server provisioned in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To enable in-transit encryption by enforcing SSL connections between your PostgreSQL database servers and your client applications, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Azure Database for PostgreSQL server to list the PostgreSQL servers available in your Azure account.

04 Click on the name of the PostgreSQL server that you want to reconfigure (see Audit section part I to identify the right PostgreSQL resource).

05 In the navigation panel, under Settings, select Connection security to access the connection security settings for the selected PostgreSQL database server.

06 On the Connection security configuration page, in the SSL settings section, select ENABLED next to Enforce SSL connection setting to enable in-transit encryption for the selected Azure PostgreSQL database server.

07 Click Save to apply the configuration changes.

08 Repeat steps no. 4 – 7 for each PostgreSQL database server available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run postgres server update command (Windows/macOS/Linux) using the name of the Azure PostgreSQL server that you want to reconfigure as identifier parameter (see Audit section part II to identify the right Azure resource) to enable in-transit encryption for the selected database server by setting the --ssl-enforcement parameter to Enabled:

az postgres server update
	--name "cc-production-server"
	--resource-group "cloud-shell-storage-westeurope"
	--ssl-enforcement Enabled

02 The command output should return the metadata for the reconfigured Azure PostgreSQL server:

{
  "earliestRestoreDate": "2019-07-24T11:28:45.067000+00:00",
  "fullyQualifiedDomainName": "cc-production-server.postgres.database.azure.com",
  "location": "westeurope",
  "name": "cc-production-server",
  "replicaCapacity": 5,
  "replicationRole": "None",
  "resourceGroup": "cloud-shell-storage-westeurope",
 
  ...
 
  "sslEnforcement": "Enabled",
  "storageProfile": {
    "backupRetentionDays": 30,
    "geoRedundantBackup": "Disabled",
    "storageAutoGrow": "Disabled",
    "storageAutogrow": null,
    "storageMb": 5120
  },
  "tags": {},
  "type": "Microsoft.DBforPostgreSQL/servers",
  "userVisibleState": "Ready",
  "version": "10"
}

03 Repeat step no. 1 and 2 for each PostgreSQL database server available in the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Jul 29, 2019

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Enable In-Transit Encryption for PostgreSQL Database Servers

Risk level: High