Ensure That Cloud SQL Database Instances Are Configured With Automated Backups

Backups provide a way to restore your Cloud SQL instance to recover lost data or recover from a problem with your instance. You should enable automated backups for any instance that contains data that you need to protect from loss or damage. When you enable automated backups, you specify a 4-hour backup window. The backup starts during the backup window. When possible, schedule backups when your instance has the least activity.

Risk Level: Low
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.DR.01
Covered by Spectral: Yes
Category: Database

GSL LOGIC

CloudSql should have settings.backupConfiguration.enabled=true

REMEDIATION

From Portal

  1. Go to the Cloud SQL Instances page in the Google Cloud Console.
  2. Select the instance for which you want to configure backups.
  3. Click Edit.
  4. In the Auto backups section, select Automate backups, and choose a backup window.
  5. Save and review your changes.

From TF
Set the backup_configuration.enable to be equal to true:

resource 'google_sql_database_instance' 'instance' {
	..
	settings {
		backup_configuration {
			start_time = HH:MM
			enabled = true
			binary_log_enabled = true
		}
	}
	..
}

From Command Line
Run

gcloud sql instances patch INSTANCE_NAME --backup-start-time HH:MM

References

  1. https://cloud.google.com/sdk/gcloud/reference/sql/instances/patch#--backup-start-time
  2. https://cloud.google.com/sql/docs/mysql/backup-recovery/backups
  3. https://cloud.google.com/sql/docs/mysql/backup-recovery/backing-up#schedulebackups

GCP CloudSql

Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5