More Info:

Ensure that infrastructure double encryption is enabled for your Azure PostgreSQL database servers in order to add a second layer of encryption for your PostgreSQL databases using a different encryption algorithm which provides enhanced data protection.

Risk Level

Medium

Address

Security

Compliance Standards

CISAZURE, CBP, HITRUST, GDPR, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Enable Infrastructure Double Encryption” in Azure using Azure Console, follow the below steps:
  1. Login to the Azure Portal (https://portal.azure.com/)
  2. Click on the “Virtual machines” option from the left-hand menu.
  3. Select the virtual machine that you want to remediate.
  4. Click on the “Disks” option from the left-hand menu.
  5. Select the disk that you want to remediate.
  6. Click on the “Disk Encryption” option from the left-hand menu.
  7. Click on the “Enable encryption” button.
  8. Select the key vault that you want to use for encryption.
  9. Click on the “Save” button to enable encryption.
By following these steps, you can remediate the misconfiguration “Enable Infrastructure Double Encryption” in Azure using Azure Console.

To remediate the misconfiguration of enabling infrastructure double encryption in AZURE using AZURE CLI, please follow the below steps:
  1. Open the AZURE CLI in your terminal or command prompt.
  2. Login to your AZURE account using the command “az login”.
  3. Select the subscription in which the infrastructure needs to be double encrypted using the command az account set --subscription <subscription-id>
  4. Enable the infrastructure double encryption by creating a new storage account with encryption enabled using the command az storage account create --name <storage-account-name> --resource-group <resource-group-name> --location <location> --sku Standard_LRS --encryption-services blob --encryption blob.
  5. Verify that the infrastructure double encryption is enabled by checking the encryption status of the storage account using the command az storage account show --name <storage-account-name> --resource-group <resource-group-name> --query "encryption.services.blob.enabled".
By doing the above steps, you have successfully remediated the misconfiguration of enabling infrastructure double encryption in AZURE using AZURE CLI.
To enable Infrastructure Double Encryption in Azure using Python, you can follow these steps:
  1. Install the Azure SDK for Python using pip: 
    pip install azure-mgmt-storage
  2. Import the necessary modules: 
    from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.storage import StorageManagementClient
from azure.mgmt.storage.models import StorageAccountUpdateParameters
from azure.mgmt.storage.models import Encryption
from azure.mgmt.storage.models import EncryptionService
from azure.mgmt.storage.models import EncryptionServiceType
  3. Set up the Azure credentials: 
    credentials = ServicePrincipalCredentials(
    client_id='<client-id>',
    secret='<client-secret>',
    tenant='<tenant-id>'
)
  4. Create a StorageManagementClient object: 
    storage_client = StorageManagementClient(credentials, subscription_id)
  5. Get the storage account that you want to enable Infrastructure Double Encryption for: 
    storage_account = storage_client.storage_accounts.get_properties(resource_group_name, account_name)
  6. Create an Encryption object with the necessary properties: 
    encryption = Encryption(
    services=[
        EncryptionService(
            service=EncryptionServiceType.blob,
            enabled=True
        ),
        EncryptionService(
            service=EncryptionServiceType.file,
            enabled=True
        )
    ]
)
  7. Create a StorageAccountUpdateParameters object with the Encryption object: 
    update_params = StorageAccountUpdateParameters(
    encryption=encryption
)
  8. Update the storage account with the StorageAccountUpdateParameters object: 
    storage_client.storage_accounts.update(resource_group_name, account_name, update_params)
These steps will enable Infrastructure Double Encryption for the specified storage account in Azure using Python.