Ensure that Cloud SQL - MYSQL instances have Point-in-time recovery enabled
Point-in-time recovery enable you to recover instance to a specific point in time, which helps in situations of data loss or ransomware attacks and therefore should be enabled.
Risk Level: Low
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.DR.02
Covered by Spectral: Yes
Category: Database
GSL LOGIC
CloudSql where databaseVersion like 'mysql%' should have settings.backupConfiguration.binaryLogEnabled=true
REMEDIATION
From Portal
- Go to the Cloud SQL Instances page in the Google Cloud Console.
- Select the instance for which you want to configure Point-in-time backups.
- Click Backups on left panel, then Edit
- check 'Enable point-in-time recovery'
- Save and review your changes.
From TF
Set the point_in_time_recovery_enabled to be equal to true:
resource 'google_sql_database_instance' 'instance' {
..
settings {
backup_configuration {
enabled = true
binary_log_enabled = true
point_in_time_recovery_enabled = true
}
}
..
}
From Command Line
Run
gcloud sql instances patch INSTANCE_NAME --enable-bin-log --retained-transaction-log-days=DAYS
References
- https://cloud.google.com/sql/docs/mysql/backup-recovery/backups
- https://cloud.google.com/sql/docs/postgres/backup-recovery/pitr
- https://cloud.google.com/sql/docs/postgres/backup-recovery/restore#tips-pitr
- https://cloud.google.com/sdk/gcloud/reference/sql/instances/patch#--backup-start-time
GCP CloudSql
Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.
Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CloudGuard Best Practices
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 5
Updated over 1 year ago