Ensure Azure PostgreSQL database server with SSL connection is enabled

Error: Azure PostgreSQL database server with SSL connection is disabled

Bridgecrew Policy ID: BC_AZR_NETWORKING_10
Checkov Check ID: CKV_AZURE_29
Severity: MEDIUM

Azure PostgreSQL database server with SSL connection is disabled

Description

SSL connectivity provides a new layer of security by connecting a database server to client applications using a Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and client applications helps protect against man-in-the-middle attacks. This is achieved by encrypting the data stream between the server and application.

We recommend you set Enforce SSL connection to Enable on PostgreSQL Server databases.

Fix - Runtime

Azure Portal

To change the policy using the Azure Portal, follow these steps:

  1. Log in to the Azure Portal at https://portal.azure.com.
  2. Navigate to Azure Database for PostgreSQL server.
  3. For each database:
    a) Click Connection security.
    b) Navigate to SSL Settings section.
    c) To Enforce SSL connection click ENABLED.

CLI Command

To set Enforce SSL Connection for aPostgreSQL Database, use the following command:

az postgres server update 
--resource-group <resourceGroupName> 
--name <serverName>
--ssl-enforcement Enabled

Fix - Buildtime

Terraform

  • Resource: azurerm_postgresql_server
  • Argument: ssl_enforcement_enabled
resource "azurerm_postgresql_server" "example" {
    ...
 +  ssl_enforcement_enabled             = true
}