PostgreSQL server without connection throttling

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > PostgreSQL server without connection throttling

Metadata

Id: a9becca7-892a-4af7-b9e1-44bf20a4cd9a

Cloud Provider: Azure

Platform: Ansible

Severity: Medium

Category: Observability

Learn More

Provider Reference

Description

Connection throttling must be enabled on PostgreSQL servers to limit concurrent connection attempts and prevent resource exhaustion or availability degradation from runaway clients or connection storms.

This rule checks Ansible tasks using the azure.azcollection.azure_rm_postgresqlconfiguration or azure_rm_postgresqlconfiguration module where name equals connection_throttling. The value property must be set to ON (case-insensitive). Resources missing this setting or with value set to OFF (or any value other than ON) are flagged as an incorrect configuration.

Secure Ansible task example:

- name: Enable connection throttling on PostgreSQL server
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myPostgresServer
    name: connection_throttling
    value: ON

Compliant Code Examples

- name: Update PostgreSQL Server setting
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: connection_throttling
    value: on
- name: Update PostgreSQL Server setting2
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: connection_throttling
    value: On
- name: Update PostgreSQL Server setting3
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: connection_throttling
    value: ON
- name: Update PostgreSQL Server setting4
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: connection_throttling
    value: on
- name: Update PostgreSQL Server setting5
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: connection_throttling
    value: On
- name: Update PostgreSQL Server setting6
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: connection_throttling
    value: ON

Non-Compliant Code Examples

---
- name: Update PostgreSQL Server setting
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: connection_throttling
    value: off
- name: Update PostgreSQL Server setting2
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: connection_throttling
    value: Off
- name: Update PostgreSQL Server setting3
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: connection_throttling
    value: OFF
- name: Update PostgreSQL Server setting4
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: connection_throttling
    value: "off"
- name: Update PostgreSQL Server setting5
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: connection_throttling
    value: "Off"
- name: Update PostgreSQL Server setting6
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: connection_throttling
    value: "OFF"