Detections
Analytics

Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses

HIGH

Description

Description:

Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from public IP addresses.

Rationale:

To minimize attack surface on a Database server instance, only trusted/known and required IP(s) should be white-listed to connect to it.

An authorized network should not have IPs/networks configured to '0.0.0.0/0' which will allow access to the instance from anywhere in the world. Note that authorized networks apply only to instances with public IPs.

The Cloud SQL database instance would not be available to public IP addresses.

Remediation

From Google Cloud Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.

  2. Click the instance name to open its 'Instance details' page.

  3. Under the 'Configuration' section click 'Edit configurations'

  4. Under 'Configuration options' expand the 'Connectivity' section.

  5. Click the 'delete' icon for the authorized network '0.0.0.0/0'.

  6. Click 'Save' to update the instance.

From Google Cloud CLI

Update the authorized network list by dropping off any addresses.

gcloud sql instances patch --authorized-networks=IP_ADDR1,IP_ADDR2...

Prevention:

To prevent new SQL instances from being configured to accept incoming connections from any IP addresses, set up a 'Restrict Authorized Networks on Cloud SQL instances' Organization Policy at: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks.

Policy Details

Rule Reference ID: AC_GCP_0003
CSP: GCP
Remediation Available: No
Domain: Infrastructure Security
Resource: google_sql_database_instance
Resource Category: Database
Resource Type: Cloud SQL

Frameworks