module/ConfigurationProvider/ControlConfigurations/Services/DBForPostgreSQLFlexibleServer.json
|
{
"FeatureName": "DBForPostgreSqlFlexibleServer", "Reference": "", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_DBForPostgreSQLFlexibleServer_Enable_Diagnostic_Settings", "Description": "Diagnostics logs must be enabled for Azure Database for PostgreSQL - Flexible Servers", "Id": "DBForPostgreSQLFS100", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "DisplayName": "Diagnostics logs must be enabled for Azure Database for PostgreSQL - Flexible Servers", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Auditing logs must be enabled as they provide details for investigation in case of a security breach for threats", "Recommendation": "To Configure 'Diagnostic settings' for Azure Database for PostgreSQL Flexible servers (refer to https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/how-to-configure-and-access-logs for more details), go to Azure Portal --> Your Database for PostgreSQL Flexible server --> Diagnostic settings --> Enable [PostgreSQL Server Logs] Category with a minimum retention period of 90 days.", "Tags": [ "Automated", "Audit", "Diagnostics", "DBForPostgreSqlFlexibleServer", "Baseline" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DiagnosticSettings" ] }, "Enabled": true, "ControlSettings": { "DiagnosticForeverRetentionValue": "0", "DiagnosticMinRetentionPeriod": "90", "DiagnosticLogs": [ "PostgreSQLLogs" ] }, "CustomTags": [ "Weekly" ] }, { "ControlID": "Azure_DBForPostgreSQLFlexibleServer_DP_Use_Secure_TLS_Version", "Description": "Use approved version of TLS for Azure Database for PostgreSQL Flexible Servers", "Id": "DBForPostgreSQLFS110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPostgreSQLTLSVersion", "DisplayName": "Use approved version of TLS for Azure Database for PostgreSQL Flexible Servers", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "TLS provides confidentiality and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "To remediate control, secure transport for client communication must be enabled and min tls version must be 1.2 or greater. To configure secure transport for client communication, Go to Azure Portal --> Azure Database for PostgreSQL flexible server --> Select server --> Settings --> Server parameters --> search 'require_secure_transport' --> set parameter 'require_secure_transport' as 'ON' --> Click 'Save' and for updating minimum TLS version, under Server parameters --> search 'ssl_min_protocol_version' --> set parameter 'ssl_min_protocol_version' as 'TLSV1.2' or 'TLSV1.3' --> Click 'Save'", "Tags": [ "DP", "Baseline" ], "Enabled": true, "CustomTags": [ "Daily", "SN:PostgreSQL_FlexibleServer_TLS", "TenantBaseline", "TBv13" ], "ControlEvaluationDetails": { "RequiredProperties": [ "SSLEnforcement", "MinTLSVersion", "ServerParameters" ] }, "ControlSettings": { "MinReqTLSVersion": "1.2" } } ] } |