Azure Introduction
Azure Pricing
Azure Threats
Unrestricted PostgreSQL Database Access
More Info:
Ensure that your Microsoft Azure network security groups (NSGs) allow inbound/ingress access on TCP port 5432 to trusted IP addresses only, in order to implement the principle of least privilege and greatly reduce the attack surface. TCP port 5432 is used by the PostgreSQL Database Server, an object-relational database management system (RDBMS) server developed by PostgreSQL Global Development Group.
Risk Level
High
Address
Security
Compliance Standards
SOC2, GDPR, ISO27001, HIPAA, CISAZURE, CBP, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the unrestricted PostgreSQL database access misconfiguration in Azure using the Azure console:
-
Login to the Azure portal (https://portal.azure.com/).
-
Navigate to the “Azure Database for PostgreSQL servers” service.
-
Select the PostgreSQL server that you want to remediate.
-
Click on the “Firewalls and virtual networks” option from the left-hand menu.
-
Under the “Firewall Rules” section, click on the “Add client IP” button to add a new firewall rule.
-
You can also specify a specific IP address range or subnet that is allowed to access the PostgreSQL database. To do this, click on the “Add existing virtual network” option and select the virtual network and subnet that you want to allow access from.
-
Once you have added the required firewall rules, click on the “Save” button to apply the changes.
-
Finally, make sure to review the other security-related settings for your PostgreSQL server, such as SSL/TLS encryption, access policies, and authentication methods, to ensure that your database is properly secured.
By following these steps, you can remediate the unrestricted PostgreSQL database access misconfiguration in Azure using the Azure console.
To remediate the unrestricted PostgreSQL database access misconfiguration in Azure using Azure CLI, follow these steps:
-
Open the Azure CLI and login to your Azure account.
-
Identify the PostgreSQL server that has unrestricted access. You can use the following command to list all the PostgreSQL servers in your Azure account:
az postgres server list
-
Once you have identified the server, get the resource group name and the server name. You will need these details to apply the remediation steps.
-
Use the following command to update the firewall rules of the PostgreSQL server to allow access only from specific IP addresses or ranges:
az postgres server firewall-rule create --resource-group <resource-group-name> --server <server-name> --name <firewall-rule-name> --start-ip-address <start-ip-address> --end-ip-address <end-ip-address>
Replace the
<resource-group-name>
,<server-name>
,<firewall-rule-name>
,<start-ip-address>
and<end-ip-address>
placeholders with the actual values.For example, to allow access only from the IP range 10.0.0.0/24, use the following command:
az postgres server firewall-rule create --resource-group my-resource-group --server my-postgres-server --name my-firewall-rule --start-ip-address 10.0.0.0 --end-ip-address 10.0.0.255
-
Verify that the firewall rule has been applied by listing the firewall rules for the PostgreSQL server using the following command:
az postgres server firewall-rule list --resource-group <resource-group-name> --server <server-name>
Replace the
<resource-group-name>
and<server-name>
placeholders with the actual values.For example, to list the firewall rules for the server “my-postgres-server” in the resource group “my-resource-group”, use the following command:
az postgres server firewall-rule list --resource-group my-resource-group --server my-postgres-server
-
Once you have verified that the firewall rule has been applied, you have successfully remediated the unrestricted PostgreSQL database access misconfiguration in Azure.
To remediate the unrestricted PostgreSQL database access issue in Azure using Python, you can follow the below steps:
Step 1: First, you need to identify the PostgreSQL database that has unrestricted access. You can use the Azure CLI command to list all the PostgreSQL servers in your Azure account.
az postgres server list
Step 2: Once you have identified the PostgreSQL server, you need to update the firewall rules to restrict the access to the database. You can use the Azure SDK for Python to update the firewall rules.
from azure.mgmt.postgresql import PostgreSQLManagementClient
from azure.mgmt.resource import ResourceManagementClient
from azure.common.credentials import ServicePrincipalCredentials
# Set the credentials
subscription_id = '<your-subscription-id>'
credentials = ServicePrincipalCredentials(
client_id='<your-client-id>',
secret='<your-client-secret>',
tenant='<your-tenant-id>'
)
# Set the resource group and server name
resource_group_name = '<your-resource-group-name>'
server_name = '<your-server-name>'
# Create the management client
postgres_client = PostgreSQLManagementClient(credentials, subscription_id)
# Get the resource client
resource_client = ResourceManagementClient(credentials, subscription_id)
# Get the server
server = postgres_client.servers.get(resource_group_name, server_name)
# Update the firewall rules
firewall_rule = server.firewall_rules[0]
firewall_rule.start_ip_address = '<your-start-ip-address>'
firewall_rule.end_ip_address = '<your-end-ip-address>'
# Update the firewall rule
postgres_client.servers.firewall_rules.create_or_update(
resource_group_name,
server_name,
firewall_rule.name,
firewall_rule
)
Step 3: Replace <your-start-ip-address>
and <your-end-ip-address>
with the appropriate IP address range that you want to allow access to the PostgreSQL server.
Step 4: Run the Python script to update the firewall rules.
This will remediate the unrestricted PostgreSQL database access issue in Azure.