Enable In-Transit Encryption for PostgreSQL Database Servers

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)

Ensure that Microsoft Azure PostgreSQL server data is encrypted in transit in order to meet security and compliance requirements. In-transit encryption helps prevent unauthorized users from getting access to critical data available in your Azure PostgreSQL databases.

Security

When working with production data, it is strongly recommended to encrypt all sensitive information in transit by enforcing Secure Sockets Layer (SSL) connections between PostgreSQL database servers and client applications. Once enabled, this additional layer of security will protect your data against Man-In-the-Middle (MITM) attacks and fulfill compliance requirements for in-transit encryption within your company.


Audit

To determine in-transit encryption configuration for your Azure PostgreSQL database servers, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Azure Database for PostgreSQL server to list the PostgreSQL servers available within your Azure account.

04 Click on the name of the PostgreSQL database server that you want to examine.

05 In the navigation panel, under Settings, select Connection security to access the connection security settings for the selected PostgreSQL server.

06 On the Connection security configuration page, in the SSL settings section, check the Enforce SSL connection status. If the setting status is set to DISABLED, in-transit encryption is not enabled for the selected Microsoft Azure PostgreSQL server.

07 Repeat steps no. 4 – 6 for each PostgreSQL database server available in the current Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure PowerShell

01 Run postgres server list command (Windows/macOS/Linux) using custom query filters to list the names of all PostgreSQL database servers (and the name of their associated resource groups) available in the current Azure subscription:

az postgres server list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return a table with requested PostgreSQL server information:

Name                  ResourceGroup
--------------------  ------------------------------
cc-production-server  cloud-shell-storage-westeurope
cc-postgresql-server  cloud-shell-storage-westeurope

03 Run postgres server show command (Windows/macOS/Linux) using the name of the Azure PostgreSQL server that you want to examine as identifier parameter and custom query filters to obtain the "Enforce SSL connection" setting status for the selected database server:

az postgres server show
	--name "cc-production-server"
	--resource-group "cloud-shell-storage-westeurope"
	--query sslEnforcement

04 The command output should return the requested configuration setting status:

"Disabled"

If postgres server show command output returns "Disabled", as shown in the example above, the encryption in transit using SSL is not enabled for the selected Microsoft Azure PostgreSQL database server.

05 Repeat step no. 3 and 4 for each Azure PostgreSQL server provisioned in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To enable in-transit encryption by enforcing SSL connections between your PostgreSQL database servers and your client applications, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Azure Database for PostgreSQL server to list the PostgreSQL servers available in your Azure account.

04 Click on the name of the PostgreSQL server that you want to reconfigure (see Audit section part I to identify the right PostgreSQL resource).

05 In the navigation panel, under Settings, select Connection security to access the connection security settings for the selected PostgreSQL database server.

06 On the Connection security configuration page, in the SSL settings section, select ENABLED next to Enforce SSL connection setting to enable in-transit encryption for the selected Azure PostgreSQL database server.

07 Click Save to apply the configuration changes.

08 Repeat steps no. 4 – 7 for each PostgreSQL database server available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run postgres server update command (Windows/macOS/Linux) using the name of the Azure PostgreSQL server that you want to reconfigure as identifier parameter (see Audit section part II to identify the right Azure resource) to enable in-transit encryption for the selected database server by setting the --ssl-enforcement parameter to Enabled:

az postgres server update
	--name "cc-production-server"
	--resource-group "cloud-shell-storage-westeurope"
	--ssl-enforcement Enabled

02 The command output should return the metadata for the reconfigured Azure PostgreSQL server:

{
  "earliestRestoreDate": "2019-07-24T11:28:45.067000+00:00",
  "fullyQualifiedDomainName": "cc-production-server.postgres.database.azure.com",
  "location": "westeurope",
  "name": "cc-production-server",
  "replicaCapacity": 5,
  "replicationRole": "None",
  "resourceGroup": "cloud-shell-storage-westeurope",
 
  ...
 
  "sslEnforcement": "Enabled",
  "storageProfile": {
    "backupRetentionDays": 30,
    "geoRedundantBackup": "Disabled",
    "storageAutoGrow": "Disabled",
    "storageAutogrow": null,
    "storageMb": 5120
  },
  "tags": {},
  "type": "Microsoft.DBforPostgreSQL/servers",
  "userVisibleState": "Ready",
  "version": "10"
}

03 Repeat step no. 1 and 2 for each PostgreSQL database server available in the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Jul 29, 2019

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable In-Transit Encryption for PostgreSQL Database Servers

Risk level: High