Azure CSPM PostgreSQL Severes

Rahul Nair 86 Reputation points
2022-01-17T20:36:25.537+00:00

Hello, I'm working on the azure cspm for a client. Quite new to azure. I noticed there are 4 types of postgresql servers with different endpoints. Now I follow cloudsploit to get the endpoint and checks. and there, they've only done it for postgresql single server, not the others. My question is, can it applied to the other servers as well.for single server, the cspm checks can easily be coded. Rest are complicated...

Here are the following checks to be coded:

  • Ensures SSL connection is enforced on MySQL servers
  • Ensures logs are configured to be retained for 4 or more days for PostgreSQL servers
  • Ensures connection throttling is enabled for PostgreSQL servers
  • Ensures connection duration logs are enabled for PostgreSQL servers
  • Ensures disconnection logs are enabled for PostgreSQL servers
  • Ensures connection logs are enabled for PostgreSQL servers
  • Ensures log checkpoints are enabled for PostgreSQL servers
  • Ensures SSL connections are enforced on PostgreSQL Servers
  • Ensures that Storage Auto-Growth feature is enabled for Microsoft Azure PostgreSQL servers.
  • Ensures that Active Directory admin is set up on all PostgreSQL servers.
  • Ensure that your Microsoft Azure PostgreSQL database servers have geo-redundant backups enabled.
  • -

Azure Database for PostgreSQL
{count} votes

1 answer

Sort by: Most helpful
  1. GeethaThatipatri-MSFT 27,007 Reputation points Microsoft Employee
    2022-01-23T18:46:20.48+00:00

    Hi @Rahul Nair Sorry for the delay in response, thank you for your patience.
    There are three offerings with Postgres as Platform as Service (PaaS). That includes Azure Database for PostgreSQL – Single Server, Azure Database for PostgreSQL – Flexible Server, Azure Database for PostgreSQL – Hyperscale. When we talk about connection endpoints we offer with these services.
    .
    •Ensures SSL connection is enforced on MySQL servers- As PaaS service we enforce SSL\TLS client connections for all our offerings by default.
    •Ensures logs are configured to be retained for 4 or more days for PostgreSQL servers - Again it’s a PaaS service so logs retained by us, service can be configured to move logs to azure storage as well. log_retention_period parameter can be used to set up retention up to 7 days.
    •Ensures connection throttling is enabled for PostgreSQL servers - .That is controlled via Postgres parameter -Connection-Throttling-Enabled | Vulnerability Database | Aqua Security Can be set either via Azure Portal, CLI, etc
    •Ensures connection duration logs are enabled for PostgreSQL servers - Set through parameters - How to configure Postgres log settings - Microsoft Tech Community
    •Ensures disconnection logs are enabled for PostgreSQL servers- Set through parameters - How to configure Postgres log settings - Microsoft Tech Community
    •Ensures connection logs are enabled for PostgreSQL servers- Set through parameters - How to configure Postgres log settings - Microsoft Tech Community
    •Ensures log checkpoints are enabled for PostgreSQL servers - Set through parameters - How to configure Postgres log settings - Microsoft Tech Community
    •Ensures SSL connections are enforced on PostgreSQL Servers - As PaaS service, we enforce SSL\TLS client connections for all our offerings by default
    •Ensures that Active Directory admin is set up on all PostgreSQL servers. That feature can only be enabled in Azure Database for Single Server, it will be implemented in other offerings soon.
    •Ensure that your Microsoft Azure PostgreSQL database servers have geo-redundant backups enabled- This feature is only available in Single Server, and only as Preview in Flexible Server.

    As stated above checking all this programmatically can be done via CLI on all versions of the service, including Single, Flexible and Hyperscale (az postgres flexible-server | Microsoft Learn, az postgres server | Microsoft Learn)

    Regards
    Geetha