Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses

Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from public IP addresses

Suggest Edits

Risk Level: High
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.NET.23
Covered by Spectral: Yes
Category: Database

GSL LOGIC

CloudSql where ipAddresses contain [ ipAddress isPublic() ] and settings.ipConfiguration.ipv4Enabled=true should not have settings.ipConfiguration.authorizedNetworks contain [value like '0.0.0.0/0']

REMEDIATION

From Portal

Go to the Cloud SQL Instances page in the Google Cloud Console. https://console.cloud.google.com/sql/instances
Click the instance name to open its Instance details page.
Under the Configuration section click Edit configurations
Under Configuration options expand the Connectivity section.
Click the delete icon for the authorized network 0.0.0.0/0.
Click Save to update the instance.

From TF
Set the 'nat_ip' with trusted Network(s)/IP(s) and not 0.0.0.0/0:

resource "google_sql_database_instance" "instance" {
	...
	settings {
		
		ip_configuration {
			
			authorized_networks {
				value           = "AUTHORIZED_NETWORK_IP"
				name            = "NAME"
			}
		}
	}
	...
}

From Command Line
Run

gcloud sql instances patch INSTANCE_NAME --authorized-networks=IP_ADDR1,IP_ADDR2...

References

GCP CloudSql

Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.

Compliance Frameworks

CloudGuard GCP All Rules Ruleset
GCP CIS Controls V 8
GCP CIS Foundations v. 1.0.0
GCP CIS Foundations v. 1.1.0
GCP CIS Foundations v. 1.2.0
GCP CIS Foundations v. 1.3.0
GCP CIS Foundations v. 2.0
GCP CloudGuard Best Practices
GCP GDPR Readiness
GCP LGPD regulation
GCP MITRE ATT&CK Framework v12.1
GCP NIST 800-53 Rev 5
GCP PCI-DSS 4.0

Updated about 1 year ago