module/ConfigurationProvider/ControlConfigurations/Services/DBForPostgreSQL.json
|
{
"FeatureName": "DBForPostgreSql", "Reference": "aka.ms/azsktcp/dbforpostgresql", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_DBforPostgreSQL_AuthZ_Enable_SSL_Connection", "Description": "SSL connection must be enabled for Azure Database for PostgreSQL", "DisplayName": "SSL connection must be enabled for Azure Database for PostgreSQL", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Id": "DBforPostgreSQL120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPostgreSQLSSLConnection", "Rationale": "Enforcing SSL connections between your database server and your client applications helps protect against 'man-in-the-middle' attacks by encrypting the data stream between the server and your application.", "Recommendation": "To enable SSL connection for Azure Database for PostgreSQL server, refer https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security.", "Tags": [ "SDL", "TCP", "AuthZ", "Automated", "SingleServer", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [ "SSLEnforcement" ] }, "Enabled": true, "CustomTags": [] }, { "ControlID": "Azure_DBforPostgreSQL_NetSec_Dont_Allow_Universal_IP_Range", "Description": "Do not use Any-to-Any IP range for Azure Database for PostgreSQL servers", "Id": "DBforPostgreSQL130", "DisplayName": "Do not use Any-to-Any IP range for Azure Database for PostgreSQL servers", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPostgreSQLFirewallIpRange", "Rationale": "Using the firewall feature ensures that access to the data or the service is restricted to a specific set/group of clients. NOTE: While this control does provide an extra layer of access control protection, it may not always be feasible to implement in all scenarios.", "Recommendation": "Do not configure 'Any to Any' firewall IP address. Refer: https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules.", "Tags": [ "SDL", "TCP", "NetSec", "Automated", "SingleServer", "Baseline", "Weekly" ], "Enabled": true, "ControlEvaluationDetails": { "RequiredProperties": [ "FirewallRules" ] }, "ControlSettings": { "IPRangeStartIP": "0.0.0.0", "IPRangeEndIP": "255.255.255.255", "FirewallRuleName_AllowAzureIps": "AllowAllWindowsAzureIps" }, "CustomTags": [] }, { "ControlID": "Azure_DBforPostgreSQL_AuthZ_Firewall_Deny_AzureServices_Access", "DisplayName": "Use the 'Allow access to Azure services' flag for DBforPostgreSQL only if required", "Description": "Use the 'Allow access to Azure services' flag for DBforPostgreSQL only if required", "Category": "Management interfaces and ports must not be open", "ControlRequirements": "Restrict network traffic flows", "Id": "DBforPostgreSQL140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckPostgreSQLFirewallAccessAzureService", "Rationale": "The 'Allow access to Azure services' setting configures a very broad range of IP addresses from Azure as permitted to access the PostgreSQL Server. Please make sure your scenario really requires this setting before enabling it. Turning it ON exposes your PostgreSQL Server to risk of attacks from resources (IPs) owned by others in the Azure region.", "Recommendation": "Turn 'OFF' the 'Allow access to Azure services' setting. Refer: https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules#connecting-from-azure", "Tags": [ "SDL", "TCP", "AuthZ", "Automated", "SingleServer", "Weekly", "Baseline" ], "Enabled": true, "CustomTags": [], "ControlSettings": { "FirewallRuleName_AllowAzureIps": "AllowAllWindowsAzureIps" }, "ControlEvaluationDetails": { "RequiredProperties": [ "FirewallRules" ] } }, { "ControlID": "Azure_DBforPostgreSQL_Audit_Enable_ATP", "Description": "Advanced Threat Protection must be enabled for Azure Database for PostgreSQL", "Id": "DBforPostgreSQL160", "DisplayName": "Enable Threat detection for PostgreSQL", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPostgreSQLATPSetting", "Rationale": "Advanced Threat Protection for Azure Database for PostgreSQL provides a layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities.", "Recommendation": "Go to your Azure Database for PostgreSQL server --> Enable Advanced Threat Protection on the server --> Tick the checkbox to 'send email notification to admins and subscription owners'. Refer: https://docs.microsoft.com/en-us/azure/postgresql/howto-database-threat-protection-portal", "Tags": [ "SDL", "TCP", "Audit", "Automated", "SingleServer", "Baseline", "Weekly" ], "Enabled": true, "ControlSettings": { "UnsupportedTier": [ "Basic" ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "ATPStatus", "Tier", "SecurityAlertPolicy" ] }, "CustomTags": [ "P2", "Wave99", "SN:PostgreSQL_TDE" ] }, { "ControlID": "Azure_DBforPostgreSQL_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled for Azure Database for PostgreSQL", "Id": "DBforPostgreSQL180", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "DisplayName": "Diagnostics logs must be enabled for Azure Database for PostgreSQL", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.", "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics", "SingleServer", "DBforPostgreSQL", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DiagnosticSettings" ] }, "Enabled": true, "ControlSettings": { "DiagnosticForeverRetentionValue": "0", "DiagnosticMinRetentionPeriod": "365", "DiagnosticLogs": [ "PostgreSQLLogs" ] }, "CustomTags": [] }, { "ControlID": "Azure_DBforPostgreSQL_Audit_Enable_Logging_On_Server", "Description": "Enable PostgreSQL server parameters log_connections and log_disconnections", "DisplayName": "Enable PostgreSQL server parameters log_connections and log_disconnections", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Id": "DBforPostgreSQL200", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckPostgreSQLLoggingParameters", "Rationale": "PostgreSQL sever logging parameters enable log collection of important system events pertinent to security. Regular monitoring of logs can help to detect any suspicious and malicious activity early and respond in a timely manner.", "Recommendation": "To configure logging for your server, go to Server Parameters --> Set following log parameter: a) 'log_connections': 'ON' b) 'log_disconnections': 'ON'. Refer: https://docs.microsoft.com/en-us/azure/postgresql/concepts-server-logs#configure-logging", "Tags": [ "SDL", "TCP", "Audit", "Automated", "SingleServer", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [ "ServerParameters" ] }, "Enabled": true, "CustomTags": [] }, { "ControlID": "Azure_DBforPostgreSQL_AuthN_Enable_Connection_Throttling", "Description": "Ensure server parameter 'connection_throttling' is set to 'ON'", "DisplayName": "Ensure server parameter 'connection_throttling' is set to 'ON'", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Id": "DBforPostgreSQL210", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPostgreSQLConnectionThrottlingServerParameter", "Rationale": "Connection throttling protects your server against password guessing and brute force attacks.", "Recommendation": "The 'connection_throttling' server parameter enables temporary connection throttling per IP for too many invalid password login failures. Go to Server parameter --> Turn 'ON' connection_throttling.", "Tags": [ "SDL", "TCP", "AuthN", "Automated", "SingleServer", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [ "ServerParameters" ] }, "Enabled": true, "CustomTags": [] }, { "ControlID": "Azure_DBforPostgreSQL_DP_Use_Secure_TLS_Version", "Description": "Use approved version of TLS for Azure Database for PostgreSQL Servers", "Id": "DBforPostgreSQL220", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPostgreSQLTLSVersion", "DisplayName": "Use approved version of TLS for Azure Database for PostgreSQL Servers", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "TLS provides confidentiality and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "To Configure 'Minimum TLS Version' setting for 'Azure Database for PostgreSQL' single server, go to Azure Portal --> Your Resource --> Connection Security --> Enable SSL, if Disabled --> Set the Minimum TLS Version to latest version. Refer: https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security#tls-connectivity-in-azure-database-for-postgresql-single-server", "Tags": [ "DP", "Baseline" ], "Enabled": true, "CustomTags": [ "Daily", "SN:PostgreSQL_Server_TLS", "TenantBaseline", "TBv13" ], "ControlEvaluationDetails": { "RequiredProperties": [ "SSLEnforcement", "MinTLSVersion" ] }, "ControlSettings": { "MinReqTLSVersion": "1.2" } }, { "ControlID": "Azure_DBforPostgreSQL_AuthZ_Enable_SSL_Connection_MCSB", "Description": "[MCSB] Enforce SSL connection should be enabled for PostgreSQL database servers", "Id": "DBforPostgreSQL230", "ControlSeverity": "High", "ControlScanSource": "MDC", "Automated": "Yes", "DisplayName": "[MCSB] Enforce SSL connection should be enabled for PostgreSQL database servers", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "TLS provides confidentiality and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "To Configure 'Minimum TLS Version' setting for 'Azure Database for PostgreSQL' single server, go to Azure Portal --> Your Resource --> Connection Security --> Enable SSL, if Disabled --> Set the Minimum TLS Version to latest version. Refer: https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security#tls-connectivity-in-azure-database-for-postgresql-single-server", "Tags": [ "AuthZ", "DBforPostgreSQL", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "1fde2073-a488-17e9-9534-5a3b23379b4b" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_DBforPostgreSQL_DP_Use_Managed_Keys_MCSB", "Description": "[MCSB] PostgreSQL servers should use customer-managed keys to encrypt data at rest", "Id": "DBforPostgreSQL240", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] PostgreSQL servers should use customer-managed keys to encrypt data at rest", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "TDE (Transparent Data Encryption) ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements. And by using a customer-managed key, you can supplement default encryption with an additional encryption layer.", "Recommendation": "To use customer-managed keys to encrypt data in Azure DB for PostgreSQL server, please refer: https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-data-encryption", "Tags": [ "DBforPostgreSQL", "Baseline", "DP" ], "AssessmentProperties": { "AssessmentNames": [ "19d45f8f-245c-852e-dbf9-d4aab4758b1f" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_DBForPostgreSQL_NetSec_Dont_Allow_Public_Network_Access_MCSB", "Description": "[MCSB] Public network access should be disabled for PostgreSQL servers", "Id": "DBForPostgreSQL250", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Public network access should be disabled for PostgreSQL servers", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Disabling the public network access property improves security by ensuring your Postgre SQL servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules.", "Recommendation": "To restrict public network access, please refer: https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-deny-public-network-access ", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "b34f9fe7-80cd-6fb3-2c5b-951993746ca8" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Tags": [ "Automated", "Baseline", "NetSec", "DBForPostgreSQL" ], "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_DBForPostgreSQL_NetSec_Enable_Private_Endpoint_MCSB", "Description": "[MCSB] Private endpoint should be enabled for PostgreSQL servers", "Id": "DBForPostgreSQL260", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Private endpoint should be enabled for PostgreSQL servers", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Postgre SQL Database.", "Recommendation": "To enable private endpoint, please refer: https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-data-access-and-security-private-link#configure-private-link-for-azure-database-for-postgresql-single-server", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "c5b83aed-f53d-5201-8ffb-1f9938de410a" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Tags": [ "Automated", "Baseline", "NetSec", "DBForPostgreSQL" ], "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_DBForPostgreSQL_BCDR_Enable_Geo_Redundant_Backup_MCSB", "Description": "[MCSB] Geo-redundant backup should be enabled for Azure Database for PostgreSQL", "Id": "DBForPostgreSQL270", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Geo-redundant backup should be enabled for Azure Database for PostgreSQL", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure.", "Recommendation": "After a server is created, the kind of redundancy it has, geographically redundant vs locally redundant, can't be switched, please create a new one with geo-redundant backup enabled. Refer: https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-restore-server-portal#set-backup-configuration", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "95592ab0-ddc8-660d-67f3-6df1fadfe7ec" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Tags": [ "Automated", "Baseline", "BCDR", "DBForPostgreSQL" ], "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] } ] } |