Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL

HIGH

Description

Description:

It is recommended to enforce all incoming connections to SQL database instance to use SSL.

Rationale:

SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc.
For security, it is recommended to always use SSL encryption when connecting to your instance.
This recommendation is applicable for Postgresql, MySql generation 1, MySql generation 2 and SQL Server 2017 instances.

After enforcing SSL connection, existing client will not be able to communicate with SQL server unless configured with appropriate client-certificates to communicate to SQL database instance.

Remediation

From Google Cloud Console

Go to https://console.cloud.google.com/sql/instances.
Click on an instance name to see its configuration overview.
In the left-side panel, select 'Connections'.
In the 'SSL connections' section, click 'Allow only SSL connections'.
Under 'Configure SSL server certificates' click 'Create new certificate'.
Under 'Configure SSL client certificates' click 'Create a client certificate'.
Follow the instructions shown to learn how to connect to your instance.

From Google Cloud CLI

To enforce SSL encryption for an instance run the command:

gcloud sql instances patch --require-ssl

Note:
'RESTART' is required for type MySQL Generation 1 Instances ('backendType: FIRST_GEN') to get this configuration in effect.

Policy Details

Rule Reference ID: AC_GCP_0002

CSP: GCP

Remediation Available: Yes

Domain: Infrastructure Security

Resource: google_sql_database_instance

Resource Category: Database

Resource Type: Cloud SQL

Frameworks

CIS Google Cloud Platform Foundations v2.0.0 Level 1
CIS Google Cloud Platform Foundations v1.3.0 Level 1
CSCv8
NIST-800-53
NIST-800-171
NIST-CSF
GDPR
HIPAA
ISO-27001
CSCv7
PCI-DSSv4.0
CIS Google Cloud Platform Foundations v1.2.0 Level 1

Detections

Analytics