Policy Templates for Azure

It is recommended that the Key Vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This is to prevent the loss of encrypted data, including storage accounts, SQL databases, and/or dependent services provided by Key Vault objects (Keys, Secrets, Certificates) and more. This may happen due to accidental deletion by a user or disruptive activity by a malicious user.

Enabling log_checkpoints helps the PostgreSQL database log each checkpoint, which generates query and error logs. However, access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.

The TLS (Transport Layer Security) protocol secures data transmission over the internet using standard encryption technology. Encryption should be set to the latest TLS version. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS.

Client certificates (Incoming client certificates) allow the app to request a certificate for incoming requests. Only clients with valid certificates can access the app.

Periodically, newer versions are released for HTTP either due to security flaws or additional functionality. Use the latest HTTP version for web apps to benefit from security fixes, if any, and/or new functionalities in the newer version.

Enabling log_checkpoints helps the PostgreSQL database log each checkpoint, which generates query and error logs. However, access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.

Enabling log_connections helps PostgreSQL Database log attempted connections to the server, as well as the successful completion of client authentication. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.

Enabling log_disconnections helps PostgreSQL Database to log the end of a session, including duration, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.

Enabling connection_throttling helps the PostgreSQL Database to set the verbosity of logged messages. This generates query and error logs with respect to concurrent connections that could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.

Configuring log_retention_days determines the duration in days Azure Database for PostgreSQL retains log files. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.

SSL connectivity provides a new layer of security by connecting database servers to client applications using the Secure Sockets Layer (SSL). Enforcing SSL connections between the database server and client applications protects against "man in the middle" attacks by encrypting the data stream between the server and the application.

The TLS (Transport Layer Security) protocol secures data transmission over the internet using standard encryption technology. Encryption should be set to the latest TLS version. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS.

Client certificates (Incoming client certificates) allow the app to request a certificate for incoming requests. Only clients with valid certificates can access the app.

Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Use the latest HTTP version for web apps to benefit from security fixes, if any, and/or new functionalities in the newer version.