Cloud Custodian Policies for CIS Microsoft Azure Foundations Benchmark (Part 2)

CIS Azure Foundations Benchmark v1.4.0–11–26–2021

We continue to write the policies for CIS Benchmarks using the Cloud Custodian.

4.3 PostgreSQL Database Server

4.3.1 Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for PostgreSQL Database Server (Automated)

policies:
- name: cis-postgresql-ssl-connection-not-enabled
  resource: azure.postgresql-server
  description: |
     Identify PostgreSQL Database Server where SSL connection is not 
     enabled. This policy runs every Sunday at 8:55AM UTC.
  filters:
    - type: value 
      key: sslEnforcement 
      op: ne
      value: Enabled
  mode:
    type: azure-periodic
    schedule: 0 55 8 * * 0
    provision-options:
    identity:
      type: UserAssigned
      id: exampleid
    execution-options:
      output_dir: azure://example.blob.abcd.windows.net/{account_id}

4.3.2 Ensure server parameter ‘log_checkpoints’ is set to ‘ON’ for PostgreSQL Database Server (Automated) Level 1

policies:
- name: cis-postgresql-log-checkpoints-not-enabled
  resource: azure.postgresql-server
  description: |
     Identify PostgreSQL Database Server where log checkpoints is 
     not enabled. This policy runs every Sunday at 8:55AM UTC.
  filters:
    …