Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL
Cloud SQL supports connecting to an instance using the Transport Layer Security SSL protocol. If you are connecting to an instance using its public IP address, you should use SSL certificates, so the data is secure during transmission. SSL is the standard protocol for encryption of data sent over the internet. If your data isn't encrypted, anyone can examine your packets and read confidential information.
Risk Level: High
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.CRY.07
Covered by Spectral: Yes
Category: Database
GSL LOGIC
CloudSql should have settings.ipConfiguration.requireSsl=true
REMEDIATION
From Portal
- Go to the Cloud SQL Instances page in the Google Cloud Console.
- Click the instance name to open its Instance details page.
- Click the Connections link in the left navigation pane.
- Click on SECURITY tub
- Click Allow only SSL connections.
- Save and review your changes
Note: If your Cloud SQL instance is using a public IP address, you need to add the IP addresses of your MySQL clients as authorized networks when configuring SSL.
From TF
Set the 'require_ssl' to be 'true':
resource 'google_sql_database_instance' 'instance' {
provider = google-beta
..
settings {
..
ip_configuration {
require_ssl = 'true'
}
}
}
From Command Line
Run
gcloud sql instances patch INSTANCE_NAME --require-ssl
References
- https://cloud.google.com/sql/docs/mysql/authorize-ssl
- https://cloud.google.com/sql/docs/mysql/authorize-networks#authorized-networks
- https://cloud.google.com/sql/docs/mysql/configure-ssl-instance
- https://cloud.google.com/sdk/gcloud/reference/sql/instances/patch#--[no-]require-ssl
GCP CloudSql
Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.
Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CIS Controls V 8
- GCP CIS Foundations v. 1.0.0
- GCP CIS Foundations v. 1.1.0
- GCP CIS Foundations v. 1.2.0
- GCP CIS Foundations v. 1.3.0
- GCP CIS Foundations v. 2.0
- GCP CloudGuard Best Practices
- GCP GDPR Readiness
- GCP HIPAA
- GCP LGPD regulation
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 5
- GCP PCI-DSS 4.0
Updated over 1 year ago