Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Infrastructure Double Encryption for Single Servers

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: PostgreSQL-012

Ensure that infrastructure double encryption is enabled for your Single Server Azure PostgreSQL database servers in order to add a second layer of encryption for your PostgreSQL databases using a different encryption algorithm which provides enhanced data protection.

This rule resolution is part of the Conformity solution.

Security

The storage used for Azure PostgreSQL databases and backups is encrypted by default with cloud service managed keys. Infrastructure double encryption is an additional encryption layer that is configured to use a secondary service managed key. When infrastructure double encryption is enabled for a PostgreSQL database server, another layer of encryption is implemented at the hardware level before the storage or the network level. This means that your PostgreSQL data is encrypted before it is even accessed, preventing both interception of data in motion if the network layer encryption is broken and data at rest in system resources such as memory or CPU cache.

Audit

To determine if infrastructure double encryption is enabled for your Azure PostgreSQL Single Server, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 From the Type filter box, select Equals, choose Azure Database for PostgreSQL single server, and select Apply to list the PostgreSQL servers available within your Azure account.

04 Click on the name (link) of the PostgreSQL database server that you want to examine.

05 In the navigation panel, under Settings, select Data encryption to access the data encryption settings available for the selected server.

06 On the Data encryption page, check the configuration status of the Infrastructure double encryption feature. If the feature status is not displayed on the Data encryption page, infrastructure double encryption is not enabled for the selected Azure PostgreSQL database server.

07 Repeat steps no. 4 – 6 for each PostgreSQL database server provisioned in the current Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run postgres server list command (Windows/macOS/Linux) using custom query filters to list the name of each PostgreSQL database server (and the name of the associated resource group) available within the current Azure subscription: 

az postgres server list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return a table with requested PostgreSQL server information: 

Name                ResourceGroup
------------------  ------------------------------
cc-project5-server  cloud-shell-storage-westeurope

03 Run postgres server show command (Windows/macOS/Linux) using the name of the Azure PostgreSQL server that you want to examine and its associated resource group as the identifier parameters, to describe the configuration status of the infrastructure double encryption feature available for the selected database server: 

az postgres server show
  --name "cc-project5-server"
  --resource-group "cloud-shell-storage-westeurope"
  --query 'infrastructureEncryption'

04 The command output should return the requested configuration status: 

"Disabled"

If the postgres server show command output returns "Disabled", the infrastructure double encryption security feature is not enabled for the selected Azure PostgreSQL database server.

05 Repeat steps no. 3 and 4 for each Azure PostgreSQL server available in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To enable the infrastructure double encryption feature for your Azure PostgreSQL single servers, you have to re-create the existing database servers with the appropriate configuration, by performing the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Database for PostgreSQL servers blade at https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.DBforPostgreSQL%2Fservers to access the PostgreSQL servers available in your Azure account.

03 Click on the name (link) of the PostgreSQL server that you want to re-create and collect all the necessary configuration information available for the selected cloud resource.

04 Choose + Create from the console top menu to initiate the server setup process:

  1. On the Select Azure Database for PostgreSQL deployment option page, choose Single server, then select Create to launch a new single PostgreSQL database server. In the Consider creating Flexible server dialog box, choose No – Create single server to proceed.
  2. On the Basics panel, perform the following operations:
    • Select the subscription and resource group that will manage your new PostgreSQL database server.
    • Provide a unique name for the database server in the Server name box.
    • For Location, choose the Azure region where the new database server will be created.
    • For Version, select the latest major version of the PostgreSQL database engine.
    • For Compute + storage, choose Configure server to select the right server configuration. Must match the configuration information collected at step no. 3.
    • For Administrator account, provide the admin username and password for your new server.
    • Choose Next : Additional settings > to continue the setup process.
  3. On the Additional settings panel, under Data encryption, select the Infrastructure double encryption enabled checkbox to enable the infrastructure double encryption feature for your new PostgreSQL database server. Enabling this feature can impact the database performance. In the confirmation box, choose Continue to confirm the activation. Choose Next : Tags > to continue the server setup.
  4. On the Tags panel, set any necessary tags for the cloud resource, then choose Next : Review + create > to continue.
  5. On the Review + create panel, review the server configuration, then choose Create to launch your new Azure PostgreSQL database server.

05 Once the new Azure PostgreSQL database server is provisioned, migrate your PostgreSQL database from the source server to the destination (new) server using the PostgreSQL dump and restore operations.

06 (Optional) You can remove the source server in order to stop adding charges to your Azure bill. Navigate back to the Azure Database for PostgreSQL servers page, click on the name of the database server that you want to delete, then choose Delete from the Overview blade top menu to initiate the removal process. On the Delete <server-name> confirmation panel, select the I have read and understand that this server, as well as any databases it contains, will be deleted checkbox, then choose Delete to remove the selected PostgreSQL server from your Azure account.

07 Repeat steps no. 3 – 6 for each PostgreSQL database server provisioned in the selected subscription.

08 Repeat steps no. 2 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run postgres server show command (Windows/macOS/Linux) using the name of the Azure PostgreSQL database server that you want to re-create as the identifier parameter, to describe the configuration information available for the selected server: 

az postgres server show
  --name "cc-project5-server"
  --resource-group "cloud-shell-storage-westeurope"

02 The command output should return the requested configuration information. This information will be useful later when the new PostgreSQL database server will be created: 

{
  "administratorLogin": "ccadminlogin",
  "earliestRestoreDate": "2022-07-20T10:00:00.597000+00:00",
  "fullyQualifiedDomainName": "cc-project5-server.postgres.database.azure.com",
  "name": "cc-project5-server",
  "replicaCapacity": 5,
  "resourceGroup": "cloud-shell-storage-westeurope",
  "sku": {
    "capacity": 2,
    "family": "Gen5",
    "name": "GP_Gen5_2",
    "size": null,
    "tier": "GeneralPurpose"
  },

  ...

  "sslEnforcement": "Enabled",
  "storageProfile": {
    "backupRetentionDays": 7,
    "geoRedundantBackup": "Disabled",
    "storageAutogrow": "Enabled",
    "storageMb": 20480
  },
  "tags": {},
  "type": "Microsoft.DBforPostgreSQL/servers",
  "userVisibleState": "Ready",
  "version": "11"
}

03 Run postgres server create command (Windows/macOS/Linux) using the source PostgreSQL server configuration information returned at the previous step as the command parameter data, to create a new Azure PostgreSQL database server, configured to support infrastructure double encryption: 

az postgres server create
  --name cc-postgres-encrypted-server
  --resource-group cloud-shell-storage-westeurope
  --sku-name GP_Gen5_2
  --version 11
  --storage-size 20480
  --backup-retention 7
  --location westeurope
  --admin-user admin_username
  --admin-password admin_password
  --infrastructure-encryption Enabled

04 The command output should return the information available for the new PostgreSQL database server: 

{
  "administratorLogin": "admin_username",
  "earliestRestoreDate": "2022-07-25T10:00:00.597000+00:00",
  "fullyQualifiedDomainName": "cc-postgres-encrypted-server.postgres.database.azure.com",
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DBforPostgreSQL/servers/cc-postgres-encrypted-server",
  "location": "westeurope",
  "masterServerId": "",
  "name": "cc-postgres-encrypted-server",
  "replicaCapacity": 5,
  "replicationRole": "None",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "sku": {
    "capacity": 2,
    "family": "Gen5",
    "name": "GP_Gen5_2",
    "size": null,
    "tier": "GeneralPurpose"
  },
  "storageProfile": {
    "backupRetentionDays": 7,
    "geoRedundantBackup": "Enabled",
    "storageAutogrow": "Enabled",
    "storageMb": 20480
  },
  "tags": null,
  "type": "Microsoft.DBforPostgreSQL/servers",
  "userVisibleState": "Ready",
  "version": "11"
}

05 Once the new Azure PostgreSQL database server is provisioned, migrate your PostgreSQL database from the source server to the destination (new) server using the PostgreSQL dump and restore operations.

06 (Optional) You can remove the source server in order to stop adding charges to your Azure bill. Run postgres server delete command (Windows/macOS/Linux) using the name of the database server that you want to delete as the identifier parameter, to remove the selected PostgreSQL resource from your Azure account: 

az postgres server delete
  --name "cc-project5-server"
  --resource-group "cloud-shell-storage-westeurope"

07 The postgres server delete command request should ask for your confirmation. Press y to confirm: 

Are you sure you want to perform this operation? (y/n):

08 Repeat steps no. 1 – 7 for each PostgreSQL database server deployed in the current Azure subscription.

09 Repeat steps no. 1 – 8 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Aug 3, 2022

Related PostgreSQL rules