Use Microsoft Defender#
Security · Azure Database for PostgreSQL · Rule · 2022_12 · Important
Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.
Description#
Defender for Cloud detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.
Recommendation#
Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL.
Examples#
Configure with Azure template#
To deploy Azure Database for PostgreSQL Single Servers that pass this rule:
- Deploy a
Microsoft.DBforPostgreSQL/servers/securityAlertPoliciessub-resource (child resource). - Set the
properties.stateproperty toEnabled.
For example:
Azure Template snippet
{
"type": "Microsoft.DBforPostgreSQL/servers",
"apiVersion": "2017-12-01",
"name": "[parameters('serverName')]",
"location": "[parameters('location')]",
"sku": {
"name": "[parameters('skuName')]",
"tier": "GeneralPurpose",
"capacity": "[parameters('SkuCapacity')]",
"size": "[format('{0}', parameters('skuSizeMB'))]",
"family": "[parameters('skuFamily')]"
},
"properties": {
"createMode": "Default",
"version": "[parameters('postgresqlVersion')]",
"administratorLogin": "[parameters('administratorLogin')]",
"administratorLoginPassword": "[parameters('administratorLoginPassword')]",
"storageProfile": {
"storageMB": "[parameters('skuSizeMB')]",
"backupRetentionDays": 7,
"geoRedundantBackup": "Enabled"
}
},
"resources": [
{
"type": "Microsoft.DBforPostgreSQL/servers/securityAlertPolicies",
"apiVersion": "2017-12-01",
"name": "Default",
"dependsOn": ["[parameters('serverName')]"],
"properties": {
"emailAccountAdmins": true,
"emailAddresses": ["soc@contoso.com"],
"retentionDays": 14,
"state": "Enabled",
"storageAccountAccessKey": "account-key",
"storageEndpoint": "https://contoso.blob.core.windows.net"
}
}
]
}
Configure with Bicep#
To deploy Azure Database for PostgreSQL Single Servers that pass this rule:
- Deploy a
Microsoft.DBforPostgreSQL/servers/securityAlertPoliciessub-resource (child resource). - Set the
properties.stateproperty toEnabled.
For example:
Azure Bicep snippet
resource postgresqlDbServer 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
name: serverName
location: location
sku: {
name: skuName
tier: 'GeneralPurpose'
capacity: skuCapacity
size: '${skuSizeMB}'
family: skuFamily
}
properties: {
createMode: 'Default'
version: postgresqlVersion
administratorLogin: administratorLogin
administratorLoginPassword: administratorLoginPassword
storageProfile: {
storageMB: SkuSizeMB
backupRetentionDays: 7
geoRedundantBackup: 'Enabled'
}
}
}
resource postgresqlDefender 'Microsoft.DBforPostgreSQL/servers/securityAlertPolicies@2017-12-01' = {
name: 'Default'
parent: postgresqlDbServer
properties: {
emailAccountAdmins: true
emailAddresses: ['soc@contoso.com']
retentionDays: 14
state: 'Enabled'
storageAccountAccessKey: 'account-key'
storageEndpoint: 'https://contoso.blob.core.windows.net'
}
}
Notes#
This rule is only applicable for the Azure Database for PostgreSQL Single Server deployment model.
Azure Database for PostgreSQL Flexible Server deployment model does not currently support Microsoft Defender for Cloud.
Links#
- Security operations
- Enable Microsoft Defender for open-source relational databases
- Azure deployment reference