Ensure geo-redundant backups are enabled for Azure PostgreSQL Server

MEDIUM

Description

Enabling automatic backups can help prevent data loss for a PostgreSQL server. Azure can create and save backups in either locally redundant or geo-redundant storage for greater resiliency, with geo-redundant storage providing the greatest availability. The maximum retention period for PostgreSQL backup storage is 35 days and they are encrypted by default. For more information, see the Azure documentation.
References:
https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-backup

Remediation

In Azure Console -

Open the Azure Portal and go to Azure Database for PostgreSQL servers.
Choose the PostgreSQL server you wish to edit.
Under Compute + storage, enable Geo-redundancy.
Select save.

In Terraform -

In the azurerm_postgresql_configuration resource, set geo_redundant_backup_enabled to true.

References:
https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/quickstart-create-server-portal
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server

Policy Details

Rule Reference ID: AC_AZURE_0407

CSP: Azure

Remediation Available: Yes

Domain: Resilience

Resource: azurerm_postgresql_server

Resource Category: Database

Resource Type: PostgreSQL

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
ISO-27001

Detections

Analytics