More Info:

Ensure that Microsoft Azure PostgreSQL server data is encrypted in transit in order to meet security and compliance requirements. In-transit encryption helps prevent unauthorized users from getting access to critical data available in your Azure PostgreSQL databases.

Risk Level

High

Address

Security

Compliance Standards

CISAZURE, CBP, HITRUST, SOC2, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the misconfiguration of enabling in-transit encryption for PostgreSQL Database Servers in AZURE:
  1. Go to the AZURE portal and login to your account.
  2. In the left-hand menu, click on the “Azure Database for PostgreSQL servers” option.
  3. Select the PostgreSQL server for which you want to enable in-transit encryption.
  4. In the left-hand menu, under the “Security” section, click on the “Connection security” option.
  5. Under the “Connection security” section, toggle the “Enforce SSL connection” option to “Enabled”.
  6. Once you have enabled the “Enforce SSL connection” option, click on the “Save” button at the top of the page to save your changes.
That’s it! You have now remediated the misconfiguration of enabling in-transit encryption for PostgreSQL Database Servers in AZURE. Now, all connections to your PostgreSQL server will be encrypted using SSL.

To remediate the misconfiguration of enabling In-Transit Encryption for PostgreSQL Database Servers in AZURE using AZURE CLI, you can follow these step-by-step instructions:
  1. Open the Azure CLI in your preferred terminal.
  2. Login to your Azure account using the command below: 
    az login
  3. Once you are logged in, set the subscription where your PostgreSQL server is located using the command below: 
    az account set --subscription <subscription_name>
  4. Next, set the resource group where your PostgreSQL server is located using the command below: 
    az group set --name <resource_group_name>
  5. Now, enable SSL enforcement for your PostgreSQL server using the command below: 
    az postgres server update --resource-group <resource_group_name> --name <postgresql_server_name> --ssl-enforcement Enabled
    This command will enable SSL enforcement for your PostgreSQL server which will encrypt the data in transit.
  6. Finally, verify that SSL enforcement is enabled for your PostgreSQL server by running the following command: 
    az postgres server show --resource-group <resource_group_name> --name <postgresql_server_name> --query sslEnforcement
    This command will return the value “Enabled” which confirms that SSL enforcement is enabled for your PostgreSQL server.
By following these steps, you will be able to remediate the misconfiguration of enabling In-Transit Encryption for PostgreSQL Database Servers in AZURE using AZURE CLI.
To remediate the misconfiguration “Enable In-Transit Encryption for PostgreSQL Database Servers” in Azure using Python, you can follow the below steps:
  1. Import the necessary libraries:
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.postgresql import PostgreSQLManagementClient
from azure.mgmt.postgresql.models import ServerUpdateParameters
  1. Authenticate with Azure using Service Principal credentials:
TENANT_ID = 'your_tenant_id'
CLIENT_ID = 'your_client_id'
CLIENT_SECRET = 'your_client_secret'
SUBSCRIPTION_ID = 'your_subscription_id'

credentials = ServicePrincipalCredentials(
    client_id=CLIENT_ID,
    secret=CLIENT_SECRET,
    tenant=TENANT_ID
)
  1. Instantiate the PostgreSQLManagementClient:
client = PostgreSQLManagementClient(credentials, SUBSCRIPTION_ID)
  1. Get the existing server details:
resource_group_name = 'your_resource_group_name'
server_name = 'your_server_name'

server = client.servers.get(resource_group_name, server_name)
  1. Update the server with the in-transit encryption enabled:
params = ServerUpdateParameters(
    ssl_enforcement="Enabled"
)

client.servers.update(resource_group_name, server_name, params)
  1. Verify that the in-transit encryption is enabled:
server = client.servers.get(resource_group_name, server_name)
print(server.ssl_enforcement)
These steps will enable in-transit encryption for PostgreSQL Database Servers in Azure using Python.