6.6 Ensure That Cloud SQL Database Instances Do Not Have Public IPs

Information

It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs.

Rationale:

To lower the organization's attack surface, Cloud SQL databases should not have public IPs. Private IPs provide improved network security and lower latency for your application.

Impact:

Removing the public IP address on SQL instances may break some applications that relied on it for database connectivity.

Solution

From Console:

Go to the Cloud SQL Instances page in the Google Cloud Console: https://console.cloud.google.com/sql/instances

Click the instance name to open its Instance details page.

Select the Connections tab.

Deselect the Public IP checkbox.

Click Save to update the instance.

From Command Line:

For every instance remove its public IP and assign a private IP instead:

gcloud sql instances patch <INSTANCE_NAME> --network=<VPC_NETWORK_NAME> --no-assign-ip

Confirm the changes using the following command::

gcloud sql instances describe <INSTANCE_NAME>

Prevention:
To prevent new SQL instances from getting configured with public IP addresses, set up a Restrict Public IP access on Cloud SQL instances Organization policy at: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp.

Default Value:

By default, Cloud Sql instances have a public IP.

See Also

https://workbench.cisecurity.org/files/3817

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: GCP

Control ID: 9b9b1dec8203d3f591a0747d95142f1ae4065939bb68b19aecd4028d7684fc23