Ensure That Cloud SQL Database Instances Do Not Have Public IPs
It is recommended to use private IPs over public IPs in your Cloud SQL instances, in order to lower the organization's risks from attacks.
Risk Level: High
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.NET.24
Covered by Spectral: Yes
Category: Database
GSL LOGIC
CloudSql should not have ipAddresses contain [ ipAddress isPublic() ]
REMEDIATION
From Portal
- Go to the Cloud SQL Instances page in the Google Cloud Console.
- Click the instance name to open its Instance details page.
- Select the Connections tab.
- Deselect the Public IP checkbox.
- Save and review your changes.
From TF
Set the 'settings.ip_configuration' with private_network configured:
resource 'google_sql_database_instance' 'instance' {
provider = google-beta
..
settings {
..
ip_configuration {
ipv4_enabled = false
private_network = projects/PROJECT_ID/global/networks/PRIVATE_NETWORK_NAME
}
}
}
From Command Line
- For every instance remove its public IP and assign a private IP instead:
gcloud sql instances patch INSTANCE_NAME --network=VPC_NETWORK_NAME --no-assign-ip
- Confirm the changes using the following command:
gcloud sql instances describe INSTANCE_NAME
Note: To prevent new SQL instances from getting configured with public IP addresses, set up a Restrict Public IP access on Cloud SQL instances Organization policy at: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp.
References
- https://cloud.google.com/sql/docs/mysql/private-ip
- https://cloud.google.com/sql/docs/mysql/configure-private-ip
- https://cloud.google.com/sdk/gcloud/reference/sql/instances/patch#--[no-]assign-ip
GCP CloudSql
Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.
Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CIS Controls V 8
- GCP CIS Foundations v. 1.1.0
- GCP CIS Foundations v. 1.2.0
- GCP CIS Foundations v. 1.3.0
- GCP CIS Foundations v. 2.0
- GCP CloudGuard Best Practices
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 5
- GCP PCI-DSS 4.0
Updated about 1 year ago