Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL

Risk Level: High
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.CRY.07
Covered by Spectral: Yes
Category: Database

GSL LOGIC

CloudSql should have settings.ipConfiguration.requireSsl=true

REMEDIATION

From Portal

1. Go to the Cloud SQL Instances page in the Google Cloud Console.
2. Click the instance name to open its Instance details page.
3. Click the Connections link in the left navigation pane.
4. Click on SECURITY tub
5. Click Allow only SSL connections.
6. Save and review your changes

Note: If your Cloud SQL instance is using a public IP address, you need to add the IP addresses of your MySQL clients as authorized networks when configuring SSL.

From TF
Set the 'require_ssl' to be 'true':

resource 'google_sql_database_instance' 'instance' {
	provider = google-beta
	..
	settings {
		..
		ip_configuration {
			require_ssl = 'true'
		}
	}
}

From Command Line
Run

gcloud sql instances patch INSTANCE_NAME --require-ssl

References

1. https://cloud.google.com/sql/docs/mysql/authorize-ssl
2. https://cloud.google.com/sql/docs/mysql/authorize-networks#authorized-networks
3. https://cloud.google.com/sql/docs/mysql/configure-ssl-instance
4. https://cloud.google.com/sdk/gcloud/reference/sql/instances/patch#--[no-]require-ssl

GCP CloudSql

Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.

Compliance Frameworks

• CloudGuard GCP All Rules Ruleset
• GCP CIS Controls V 8
• GCP CIS Foundations v. 1.0.0
• GCP CIS Foundations v. 1.1.0
• GCP CIS Foundations v. 1.2.0
• GCP CIS Foundations v. 1.3.0
• GCP CIS Foundations v. 2.0
• GCP CloudGuard Best Practices
• GCP GDPR Readiness
• GCP HIPAA
• GCP LGPD regulation
• GCP MITRE ATT&CK Framework v12.1
• GCP NIST 800-53 Rev 5
• GCP PCI-DSS 4.0