Ensure PostgreSQL Flexible Server is configured with private endpoint
Description
This policy checks whether a PostgreSQL Flexible Server in Azure is configured with a private endpoint. Configuring a private endpoint ensures that the database server is not exposed to the public internet, reducing the risk of unauthorized access. This is important because publicly accessible databases can be vulnerable to attacks, such as SQL injection and data breaches. By using a private endpoint, access to the database is restricted to resources within the virtual network, improving the overall security posture.
Code Example
terraform
resource "azurerm_private_endpoint" "example" {
name = "example"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
subnet_id = azurerm_subnet.example.id
}
resource "azurerm_private_endpoint_connection" "example" {
name = "example"
private_service_connection {
name = "example"
private_connection_resource_id = azurerm_postgresql_flexible_server.example.id
subresource_names = ["postgresql"]
}
subnet_id = azurerm_subnet.example.id
}Remediation
Configure a private endpoint for the PostgreSQL Flexible Server.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0814 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | azurerm_postgresql_flexible_server |
| Checkov ID | CKV2_AZURE_57 |