Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Transport Encryption for PostgreSQL Flexible Servers

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: PostgreSQL-015

Ensure that the databases managed with Azure Database for PostgreSQL have the Transport Encryption feature enabled in order to meet security and compliance requirements. Transport Encryption is the security feature that forces all connections to your database servers to use TLS/SSL. Once enabled, the data transport encryption and decryption is handled transparently and does not require any additional action from you or your application.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

According to HIPAA compliance, all connections made to Azure Database for PostgreSQL servers that process, store, and transmit PHI (Protected Health Information) must use encryption provided by the Transport Encryption feature. In Azure cloud, Transport Encryption implements encryption in transit using the require_secure_transport server parameter for PostgreSQL databases. Enforcing TLS/SSL connections between PostgreSQL database server and client applications also helps protect against Man-in-The-Middle (MITM) attacks by encrypting the data stream between the server and applications.

Audit

To determine if the Transport Encryption feature is enabled for your Azure PostgreSQL flexible database servers, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Azure Database for PostgreSQL - Flexible Server, and choose Apply to list only the Azure PostgreSQL flexible servers available in the selected subscription.

05 Click on the name (link) of the PostgreSQL flexible server that you want to examine.

06 In the resource navigation panel, under Settings, select Server parameters to access the configuration parameters available for the selected PostgreSQL server.

07 On the Server parameters page, select the All tab, and find the require_secure_transport configuration parameter using the Search to filter items search box. Check the require_secure_transport parameter value, listed in the Value column to determine the encryption feature status. If the parameter value is set to OFF, the Transport Encryption feature is not enabled for the selected Azure PostgreSQL flexible database server.

08 Repeat steps no. 5 - 7 for each PostgreSQL flexible server deployed within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run postgres flexible-server list command (Windows/macOS/Linux) with custom output filters to list the names of all PostgreSQL flexible servers (and the name of their associated resource groups) available in the selected Azure subscription: 

az postgres flexible-server list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return a table with requested PostgreSQL server information: 

Name                     ResourceGroup
-----------------------  ------------------------------
cc-postgres-flexible-db  cloud-shell-storage-westeurope
cc-project5-flexible-db  cloud-shell-storage-westeurope

06 Run postgres flexible-server parameter show command (Windows/macOS/Linux) with the name of the Azure PostgreSQL flexible server that you want to examine and its associated resource group as the identifier parameters, to get the require_secure_transport parameter value for the selected PostgreSQL server in order to determine the encryption feature status: 

az postgres flexible-server parameter show
	--server-name "cc-postgres-flexible-db"
	--resource-group "cloud-shell-storage-westeurope"
	--name require_secure_transport
	--query 'value'

07 The command output should return the requested configuration value ("ON" or "on" for enabled, "OFF" or "off" for disabled): 

"OFF"

If the postgres flexible-server parameter show command output returns "OFF", as shown in the example above, the Transport Encryption feature is not enabled for the selected Azure PostgreSQL flexible database server.

08 Repeat steps no. 6 and 7 for each PostgreSQL flexible server provisioned in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To enable the Transport Encryption feature for your Azure PostgreSQL flexible database servers, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Azure Database for PostgreSQL - Flexible Server, and choose Apply to list only the Azure PostgreSQL flexible servers available in the selected subscription.

05 Click on the name (link) of the PostgreSQL flexible server that you want to configure.

06 In the resource navigation panel, under Settings, select Server parameters to access the configuration parameters available for the selected PostgreSQL server.

07 On the Server parameters page, perform the following actions:

  1. Select the All tab and find the require_secure_transport configuration parameter using the Search to filter items search box.
  2. Once the require_secure_transport server parameter is found, enable the parameter by toggling it ON in the Value column.
  3. Choose Save to apply the configuration changes. This will enable Transport Encryption for the selected Azure PostgreSQL flexible database server.

08 Repeat steps no. 5 - 7 for each PostgreSQL flexible server deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run postgres flexible-server parameter set command (Windows/macOS/Linux) with the name of the PostgreSQL flexible server that you want to configure as the identifier parameter, to enable the require_secure_transport server parameter for the selected database server. This will enable Transport Encryption for the selected Azure PostgreSQL flexible server: 

az postgres flexible-server parameter set
	--server-name "cc-postgres-flexible-db"
	--resource-group "cloud-shell-storage-westeurope"
	--name require_secure_transport
	--value on

02 The command output should return the information available for the configured server parameter: 

{
	"allowedValues": "on,off",
	"dataType": "Boolean",
	"defaultValue": "on",
	"description": "Whether client connections to the server are required to use some form of secure transport.",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DBforPostgreSQL/flexibleServers/cc-postgres-flexible-db/configurations/require_secure_transport",
	"isConfigPendingRestart": false,
	"isDynamicConfig": true,
	"isReadOnly": false,
	"name": "require_secure_transport",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"source": "user-override",
	"systemData": null,
	"type": "Microsoft.DBforPostgreSQL/flexibleServers/configurations",
	"unit": null,
	"value": "on"
}

03 Repeat steps no. 1 and 2 for each PostgreSQL flexible server provisioned in the selected Azure subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Feb 12, 2025

Related PostgreSQL rules