More Info:

Ensure that “connection_throttling” server parameter is enabled for all PostgreSQL database servers provisioned within your Microsoft Azure cloud account. The “connection_throttling” parameter enables temporary connection throttling per IP address for too many invalid login failures.

Risk Level

Medium

Address

Security

Compliance Standards

CISAZURE, CBP, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To enable “CONNECTION_THROTTLING” parameter for PostgreSQL Servers in Azure using Azure Console, please follow the below steps:Step 1: Login to the Azure Portal (https://portal.azure.com/).Step 2: Navigate to the Azure Database for PostgreSQL Server that you want to configure.Step 3: Click on the “Settings” option in the left-hand menu.Step 4: Under the “Settings” menu, click on the “Configuration” option.Step 5: In the “Configuration” menu, click on the “Add parameter” button.Step 6: In the “Add parameter” window, enter “CONNECTION_THROTTLING” in the “Parameter name” field.Step 7: In the “Value” field, enter the desired value for the parameter. For example, “1” to enable the parameter.Step 8: Click on the “OK” button to save the parameter.Step 9: Restart the PostgreSQL server for the changes to take effect.After following these steps, “CONNECTION_THROTTLING” parameter will be enabled for the PostgreSQL server in Azure.

To enable “CONNECTION_THROTTLING” parameter for PostgreSQL Servers on Azure using Azure CLI, follow these steps:
  1. Open the Azure CLI on your local machine or use the Azure Cloud Shell.
  2. Login to your Azure account using the command: az login.
  3. Select the subscription in which your PostgreSQL server is present using the command: az account set --subscription <subscription_id>.
  4. Get the resource ID of the PostgreSQL server by running the following command: az postgres server show --resource-group <resource_group_name> --name <server_name> --query id --output tsv.
  5. Set the “CONNECTION_THROTTLING” parameter to “on” using the command: az postgres server configuration set --resource-group <resource_group_name> --server-name <server_name> --name "connection_throttling" --value "on".
  6. Verify that the parameter has been set to “on” by running the command: az postgres server configuration show --resource-group <resource_group_name> --server-name <server_name> --name "connection_throttling".
Note: Replace <subscription_id>, <resource_group_name>, and <server_name> with your actual values.
To remediate the misconfiguration “Enable CONNECTION_THROTTLING Parameter for PostgreSQL Servers” in Azure using Python, you can follow the below steps:
  1. Import the required modules:
from azure.identity import DefaultAzureCredential
from azure.mgmt.postgresql import PostgreSQLManagementClient
from azure.mgmt.postgresql.models import Configuration, ConfigurationValue
  1. Authenticate to Azure using DefaultAzureCredential:
credential = DefaultAzureCredential()
  1. Create a PostgreSQLManagementClient object:
subscription_id = '<subscription_id>'
resource_group_name = '<resource_group_name>'
server_name = '<server_name>'

client = PostgreSQLManagementClient(credential, subscription_id)
  1. Get the current configuration of the PostgreSQL server:
current_configuration = client.configurations.list_by_server(resource_group_name, server_name)
  1. Check if the “CONNECTION_THROTTLING” parameter is already enabled:
is_connection_throttling_enabled = False

for configuration in current_configuration:
    if configuration.name == "CONNECTION_THROTTLING":
        is_connection_throttling_enabled = True
        break
  1. If the “CONNECTION_THROTTLING” parameter is not enabled, set it to “ON” and update the configuration:
if not is_connection_throttling_enabled:
    new_configuration = Configuration(name="CONNECTION_THROTTLING",
                                       value=ConfigurationValue(default_value="on",
                                                                source="system-default"))
    client.configurations.create_or_update(resource_group_name, server_name, "CONNECTION_THROTTLING", new_configuration)
  1. Verify that the parameter has been enabled by checking the updated configuration:
updated_configuration = client.configurations.list_by_server(resource_group_name, server_name)

for configuration in updated_configuration:
    if configuration.name == "CONNECTION_THROTTLING":
        print("CONNECTION_THROTTLING parameter is now enabled")
With these steps, you should be able to remediate the misconfiguration “Enable CONNECTION_THROTTLING Parameter for PostgreSQL Servers” in Azure using Python.