Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL

Cloud SQL supports connecting to an instance using the Transport Layer Security SSL protocol. If you are connecting to an instance using its public IP address, you should use SSL certificates, so the data is secure during transmission. SSL is the standard protocol for encryption of data sent over the internet. If your data isn't encrypted, anyone can examine your packets and read confidential information.

Risk Level: High
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.CRY.07
Covered by Spectral: Yes
Category: Database


CloudSql should have settings.ipConfiguration.requireSsl=true


From Portal

  1. Go to the Cloud SQL Instances page in the Google Cloud Console.
  2. Click the instance name to open its Instance details page.
  3. Click the Connections link in the left navigation pane.
  4. Click on SECURITY tub
  5. Click Allow only SSL connections.
  6. Save and review your changes

Note: If your Cloud SQL instance is using a public IP address, you need to add the IP addresses of your MySQL clients as authorized networks when configuring SSL.

From TF
Set the 'require_ssl' to be 'true':

resource 'google_sql_database_instance' 'instance' {
	provider = google-beta
	settings {
		ip_configuration {
			require_ssl = 'true'

From Command Line

gcloud sql instances patch INSTANCE_NAME --require-ssl


  1. https://cloud.google.com/sql/docs/mysql/authorize-ssl
  2. https://cloud.google.com/sql/docs/mysql/authorize-networks#authorized-networks
  3. https://cloud.google.com/sql/docs/mysql/configure-ssl-instance
  4. https://cloud.google.com/sdk/gcloud/reference/sql/instances/patch#--[no-]require-ssl

GCP CloudSql

Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.0.0
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP GDPR Readiness
  • GCP LGPD regulation
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5
  • GCP PCI-DSS 4.0