Ensure that Cloud SQL - MYSQL instances have Point-in-time recovery enabled

Point-in-time recovery enable you to recover instance to a specific point in time, which helps in situations of data loss or ransomware attacks and therefore should be enabled.

Suggest Edits

Risk Level: Low
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.DR.02
Covered by Spectral: Yes
Category: Database

GSL LOGIC

CloudSql where databaseVersion like 'mysql%' should have settings.backupConfiguration.binaryLogEnabled=true

REMEDIATION

From Portal

  1. Go to the Cloud SQL Instances page in the Google Cloud Console.
  2. Select the instance for which you want to configure Point-in-time backups.
  3. Click Backups on left panel, then Edit
  4. check 'Enable point-in-time recovery'
  5. Save and review your changes.

From TF
Set the point_in_time_recovery_enabled to be equal to true:

resource 'google_sql_database_instance' 'instance' {
	..
	settings {
		backup_configuration {
			enabled                        = true
			binary_log_enabled             = true
			point_in_time_recovery_enabled = true
		}
	}
	..
}

From Command Line
Run

gcloud sql instances patch INSTANCE_NAME --enable-bin-log --retained-transaction-log-days=DAYS

References

  1. https://cloud.google.com/sql/docs/mysql/backup-recovery/backups
  2. https://cloud.google.com/sql/docs/postgres/backup-recovery/pitr
  3. https://cloud.google.com/sql/docs/postgres/backup-recovery/restore#tips-pitr
  4. https://cloud.google.com/sdk/gcloud/reference/sql/instances/patch#--backup-start-time

GCP CloudSql

Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5

Updated 7 months ago