Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses
Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from public IP addresses
Risk Level: High
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.NET.23
Covered by Spectral: Yes
Category: Database
GSL LOGIC
CloudSql where ipAddresses contain [ ipAddress isPublic() ] and settings.ipConfiguration.ipv4Enabled=true should not have settings.ipConfiguration.authorizedNetworks contain [value like '0.0.0.0/0']
REMEDIATION
From Portal
- Go to the Cloud SQL Instances page in the Google Cloud Console. https://console.cloud.google.com/sql/instances
- Click the instance name to open its Instance details page.
- Under the Configuration section click Edit configurations
- Under Configuration options expand the Connectivity section.
- Click the delete icon for the authorized network 0.0.0.0/0.
- Click Save to update the instance.
From TF
Set the 'nat_ip' with trusted Network(s)/IP(s) and not 0.0.0.0/0:
resource "google_sql_database_instance" "instance" {
...
settings {
ip_configuration {
authorized_networks {
value = "AUTHORIZED_NETWORK_IP"
name = "NAME"
}
}
}
...
}
From Command Line
Run
gcloud sql instances patch INSTANCE_NAME --authorized-networks=IP_ADDR1,IP_ADDR2...
References
- https://cloud.google.com/sql/docs/mysql/configure-ip
- https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks
- https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
- https://cloud.google.com/sql/docs/mysql/connection-org-policy
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance
GCP CloudSql
Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.
Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CIS Controls V 8
- GCP CIS Foundations v. 1.0.0
- GCP CIS Foundations v. 1.1.0
- GCP CIS Foundations v. 1.2.0
- GCP CIS Foundations v. 1.3.0
- GCP CIS Foundations v. 2.0
- GCP CloudGuard Best Practices
- GCP GDPR Readiness
- GCP LGPD regulation
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 5
- GCP PCI-DSS 4.0
Updated over 1 year ago