Ensure That Cloud SQL Database Instances Do Not Have Public IPs

Risk Level: High
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.NET.24
Covered by Spectral: Yes
Category: Database

GSL LOGIC

CloudSql should not have ipAddresses contain [ ipAddress isPublic() ]

REMEDIATION

From Portal

Go to the Cloud SQL Instances page in the Google Cloud Console.
Click the instance name to open its Instance details page.
Select the Connections tab.
Deselect the Public IP checkbox.
Save and review your changes.

From TF
Set the 'settings.ip_configuration' with private_network configured:

resource 'google_sql_database_instance' 'instance' {
	provider = google-beta
	..
	settings {
		..
		ip_configuration {
			ipv4_enabled    = false
			private_network = projects/PROJECT_ID/global/networks/PRIVATE_NETWORK_NAME
		}
	}
}

From Command Line

For every instance remove its public IP and assign a private IP instead:

gcloud sql instances patch INSTANCE_NAME --network=VPC_NETWORK_NAME --no-assign-ip

Confirm the changes using the following command:

gcloud sql instances describe INSTANCE_NAME

Note: To prevent new SQL instances from getting configured with public IP addresses, set up a Restrict Public IP access on Cloud SQL instances Organization policy at: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp.

References

GCP CloudSql

Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.

Compliance Frameworks

CloudGuard GCP All Rules Ruleset
GCP CIS Controls V 8
GCP CIS Foundations v. 1.1.0
GCP CIS Foundations v. 1.2.0
GCP CIS Foundations v. 1.3.0
GCP CIS Foundations v. 2.0
GCP CloudGuard Best Practices
GCP MITRE ATT&CK Framework v12.1
GCP NIST 800-53 Rev 5
GCP PCI-DSS 4.0

Updated 7 months ago