Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable In-Transit Encryption for MySQL Servers

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: MySQL-001

Ensure that Microsoft Azure MySQL server data is encrypted in transit in order to meet security and compliance requirements. In-transit data encryption helps prevent unauthorized users from reading sensitive data available on your MySQL databases.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

When working with production data, it is strongly recommended to enable in-transit encryption by enforcing Secure Sockets Layer (SSL) connections between MySQL database servers and client applications. This will protect your data against Man-In-the-Middle (MITM) attacks and fulfill compliance requirements for in-transit encryption within your organization. For example, a compliance requirement is to protect sensitive data that could potentially identify a specific individual such as Personally Identifiable Information (PII), usually used in Financial Services, Healthcare and Telecommunications sectors.

Audit

To determine in-transit encryption configuration for your Azure MySQL database servers, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Azure Database for MySQL server to list only the MySQL servers available in your Azure account.

04 Click on the name of the MySQL database server that you want to examine.

05 In the navigation panel, under Settings, select Connection security to access the connection security settings for the selected MySQL server.

06 On the Connection security configuration page, in the SSL settings section, check the Enforce SSL connection status. If the setting status is set to DISABLED, in-transit encryption is not enabled for the selected Microsoft Azure MySQL server.

07 Repeat steps no. 4 – 6 for each MySQL database server available in the current Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure PowerShell

01 Run mysql server list command (Windows/macOS/Linux) using custom query filters to list the identifier for each MySQL server provisioned in the current Azure subscription: 

az mysql server list
   --query '[*].id'

02 The command output should return the requested MySQL server identifiers: 

[
"/subscriptions/abcdabcd-abcd-1234-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DBforMySQL/servers/cc-mysql-db-server",
"/subscriptions/abcdabcd-abcd-1234-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DBforMySQL/servers/cc-development-server",
"/subscriptions/abcdabcd-abcd-1234-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DBforMySQL/servers/cc-wordpress-server"
]

03 Run mysql server show command (Windows/macOS/Linux) using the ID of the Azure MySQL server that you want to examine as identifier parameter and custom query filters to get the "Enforce SSL connection" setting status for the selected server: 

az mysql server show
	--ids /subscriptions/abcdabcd-abcd-1234-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DBforMySQL/servers/cc-mysql-db-server
	--query sslEnforcement

04 The command output should return the requested configuration setting status: 

"Disabled"

If the mysql server show command output returns "Disabled", as shown in the example above, the encryption in transit using Secure Sockets Layer (SSL) is not enabled for the selected Microsoft Azure MySQL database server.

05 Repeat step no. 3 and 4 for each Azure MySQL server provisioned in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To enable in-transit encryption by enforcing SSL connections between your MySQL database servers and client applications, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Azure Database for MySQL server to list only the MySQL servers available in your Azure account.

04 Click on the name of the MySQL server that you want to reconfigure (see Audit section part I to identify the right Azure resource).

05 In the navigation panel, under Settings, select Connection security to access the connection security settings for the selected MySQL database server.

06 On the Connection security configuration page, in the SSL settings section, select ENABLED next to Enforce SSL connection setting to enable in-transit encryption for the selected Azure MySQL database server.

07 Click Save to apply the configuration changes.

08 Repeat steps no. 4 – 7 for each MySQL database server available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run mysql server update command (Windows/macOS/Linux) using the ID of the Azure MySQL server that you want to reconfigure as identifier parameter (see Audit section part II to identify the right MySQL resource) to enable in-transit encryption for the selected database server by setting the --ssl-enforcement parameter to Enabled: 

az mysql server update
	--ids /subscriptions/abcdabcd-abcd-1234-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DBforMySQL/servers/cc-mysql-db-server
	--ssl-enforcement Enabled

02 The command output should return the metadata for the reconfigured Azure MySQL server: 

{
  "earliestRestoreDate": "2019-07-25T09:37:29.653000+00:00",
  "fullyQualifiedDomainName": "cc-mysql-db-server.mysql.database.azure.com",
  "location": "westeurope",
  "masterServerId": "",
  "name": "cc-mysql-db-server",,
  "resourceGroup": "cloud-shell-storage-westeurope",
 
  ...
 
  "sslEnforcement": "Enabled",
  "storageProfile": {
    "backupRetentionDays": 30,
    "geoRedundantBackup": "Disabled",
    "storageAutoGrow": "Disabled",
    "storageAutogrow": null,
  },
  "type": "Microsoft.DBforMySQL/servers",
  "userVisibleState": "Ready",
  "version": "5.7"
}

03 Repeat step no. 1 and 2 for each MySQL database server available in the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Jul 29, 2019

Related MySQL rules