Azure Policy Regulatory Compliance controls for Azure Database for PostgreSQL

APPLIES TO: Azure Database for PostgreSQL - Single Server

Important

Azure Database for PostgreSQL - Single Server is on the retirement path. We strongly recommend that you upgrade to Azure Database for PostgreSQL - Flexible Server. For more information about migrating to Azure Database for PostgreSQL - Flexible Server, see What's happening to Azure Database for PostgreSQL Single Server?.

Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure Database for PostgreSQL. You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

Important

Each control is associated with one or more Azure Policy definitions. These policies might help you assess compliance with the control. However, there often isn't a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves. This doesn't ensure that you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards can change over time.

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Database for PostgreSQL Flexible Server should be Zone Resilient Azure Database for PostgreSQL Flexible Server can be configured to be either Zone Aligned, Zone Redundant, or neither. PostgreSQL Server that has a standby server selected in same zone for high availability is considered Zone Aligned. In contrast, PostgreSQL Server that has a standby server selected to be in a different zone for high availability is recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Audit, Deny, Disabled 1.0.0-preview
[Preview]: Azure PostgreSQL flexible server should have Microsoft Entra Only Authentication enabled Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure PostgreSQL flexible server can exclusively be accessed by Microsoft Entra identities. Audit, Disabled 1.0.0-preview
A Microsoft Entra administrator should be provisioned for PostgreSQL flexible servers Audit provisioning of a Microsoft Entra administrator for your PostgreSQL flexible server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
A Microsoft Entra administrator should be provisioned for PostgreSQL servers Audit provisioning of a Microsoft Entra administrator for your PostgreSQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.1
Auditing with PgAudit should be enabled for PostgreSQL flexible servers This policy helps audit any PostgreSQL flexible servers in your environment which is not enabled to use pgaudit. AuditIfNotExists, Disabled 1.0.0
Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers Audit PostgreSQL flexible servers without Advanced Data Security AuditIfNotExists, Disabled 1.0.0
Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL flexible servers Enable Advanced Threat Protection on your Azure database for PostgreSQL flexible servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. DeployIfNotExists, Disabled 1.1.0
Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers Enable Advanced Threat Protection on your non-Basic tier Azure database for PostgreSQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. DeployIfNotExists, Disabled 1.2.0
Connection throttling should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per IP for too many invalid password login failures. AuditIfNotExists, Disabled 1.0.0
Connection throttling should be enabled for PostgreSQL flexible servers This policy helps audit any PostgreSQL flexible servers in your environment without Connection throttling enabled. This setting enables temporary connection throttling per IP for too many invalid password login failures. AuditIfNotExists, Disabled 1.0.0
Deploy Diagnostic Settings for PostgreSQL flexible servers to Log Analytics workspace Deploys the diagnostic settings for PostgreSQL flexible servers to stream to a regional Log Analytics workspace when any PostgreSQL flexible servers which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0
Disconnections should be logged for PostgreSQL database servers. This policy helps audit any PostgreSQL databases in your environment without log_disconnections enabled. AuditIfNotExists, Disabled 1.0.0
Disconnections should be logged for PostgreSQL flexible servers This policy helps audit any PostgreSQL flexible servers in your environment without log_disconnections enabled. AuditIfNotExists, Disabled 1.0.1
Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbforpostgresql/flexibleservers. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/flexibleservers. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbforpostgresql/flexibleservers. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbforpostgresql/servergroupsv2. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/servergroupsv2. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbforpostgresql/servergroupsv2. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.dbforpostgresql/servers to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbforpostgresql/servers. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.dbforpostgresql/servers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/servers. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.dbforpostgresql/servers to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbforpostgresql/servers. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for PostgreSQL flexible server (microsoft.dbforpostgresql/flexibleservers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for PostgreSQL flexible server (microsoft.dbforpostgresql/flexibleservers). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Enforce SSL connection should be enabled for PostgreSQL flexible servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL flexible server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database flexible server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your PostgreSQL flexible server. AuditIfNotExists, Disabled 1.0.0
Geo-redundant backup should be enabled for Azure Database for PostgreSQL Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for PostgreSQL flexible servers Azure Database for PostgreSQL flexible servers allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.0
Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys Audit, Deny, Disabled 1.0.0
Log checkpoints should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without log_checkpoints setting enabled. AuditIfNotExists, Disabled 1.0.0
Log checkpoints should be enabled for PostgreSQL flexible servers This policy helps audit any PostgreSQL flexible servers in your environment without log_checkpoints setting enabled. AuditIfNotExists, Disabled 1.0.0
Log connections should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without log_connections setting enabled. AuditIfNotExists, Disabled 1.0.0
Log connections should be enabled for PostgreSQL flexible servers This policy helps audit any PostgreSQL flexible servers in your environment without log_connections setting enabled. AuditIfNotExists, Disabled 1.0.0
Log duration should be enabled for PostgreSQL database servers This policy helps audit any PostgreSQL databases in your environment without log_duration setting enabled. AuditIfNotExists, Disabled 1.0.0
PostgreSQL flexible servers should be running TLS version 1.2 or newer This policy helps audit any PostgreSQL flexible servers in your environment which is running with TLS version less than 1.2. AuditIfNotExists, Disabled 1.1.0
PostgreSQL flexible servers should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your PostgreSQL flexible servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Audit, Deny, Disabled 1.1.0
PostgreSQL server should use a virtual network service endpoint Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for PostgreSQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for PostgreSQL has virtual network service endpoint being used. AuditIfNotExists, Disabled 1.0.2
PostgreSQL servers should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. AuditIfNotExists, Disabled 1.0.4
Private endpoint should be enabled for PostgreSQL flexible servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.0
Private endpoint should be enabled for PostgreSQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Public network access should be disabled for PostgreSQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP based firewall rules. Audit, Deny, Disabled 3.1.0
Public network access should be disabled for PostgreSQL servers Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Deny, Disabled 2.0.1

Next steps