Risk Level: Low
Description:
On PostgreSQL servers, this plugin guarantees SSL connections are enforced. By encrypting the data stream between the server and the application, SSL protects against infiltration attacks. Ensure the connection security settings of each PostgreSQL server are configured to enforce SSL connections.
About the Service :
The PostgreSQL Community Edition database engine powers Azure Database for PostgreSQL, a relational database service in the Microsoft cloud. Azure Database for PostgreSQL includes built-in quality, data protection, and automated maintenance for the underlying hardware, operating system, and database engine, among other features.
Impact:
Not enforcing SSL connections between your database server and your client applications can lead to "man-in-the-middle" attacks because the data stream between the server and your application will not be encrypted.
Steps to reproduce ( Azure CLI ):
- Sign in to Azure CLI.
- Run the command:
az postgres server list
- From the output that appears, if sslEnforcement attribute is set to “Disabled”, then SSL connections are not enforced on your PostgreSQL server.
- Repeat steps no. for each PostgreSQL database server provisioned in the current Azure subscription as well as in other subscriptions in your Microsoft Azure cloud account.
Steps for remediation :
- Sign in to Azure CLI.
- Run the command:
az postgres server update --name <server_name> –resource-group <resource_group_name> --ssl-enforcement Enabled
For example: az postgres server update --name pingsafe-server-test –resource-group test-resource-group --ssl-enforcement Enabled - This will enable SSL connections for your selected PostgreSQL server.
- Repeat steps no. to reconfigure other PostgreSQL database servers provisioned in all your Azure subscriptions.
References:
- https://docs.microsoft.com/en-us/azure/postgresql/concepts-monitoring
- https://docs.microsoft.com/en-us/azure/postgresql/concepts-server-logs