Enforce encrypted PostgreSQL connections#
Security · Azure Database for PostgreSQL · Rule · 2020_06 · Critical
Enforce encrypted PostgreSQL connections.
Description#
Azure Database for PostgreSQL is configured to only accept encrypted connections by default. When the setting enforce SSL connections is disabled, encrypted and unencrypted connections are permitted. This does not indicate that unencrypted connections are being used.
Unencrypted communication to PostgreSQL server instances could allow disclosure of information to an untrusted party.
Recommendation#
Azure Database for PostgreSQL should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.
Also consider using Azure Policy to audit or enforce this configuration.
Examples#
Configure with Azure template#
To deploy servers that pass this rule:
- Set the
properties.sslEnforcementproperty toEnabled.
For example:
{
"type": "Microsoft.DBforPostgreSQL/servers",
"apiVersion": "2017-12-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"createMode": "Default",
"administratorLogin": "[parameters('localAdministrator')]",
"administratorLoginPassword": "[parameters('localAdministratorPassword')]",
"minimalTlsVersion": "TLS1_2",
"sslEnforcement": "Enabled",
"publicNetworkAccess": "Disabled",
"version": "11"
}
}
Configure with Bicep#
To deploy servers that pass this rule:
- Set the
properties.sslEnforcementproperty toEnabled.
For example:
resource single 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
name: name
location: location
properties: {
createMode: 'Default'
administratorLogin: localAdministrator
administratorLoginPassword: localAdministratorPassword
minimalTlsVersion: 'TLS1_2'
sslEnforcement: 'Enabled'
publicNetworkAccess: 'Disabled'
version: '11'
}
}
Notes#
This rule is not applicable to PostgreSQL using the flexible server model.
Links#
- SE:07 Encryption
- Configure SSL connectivity in Azure Database for PostgreSQL
- Azure deployment reference