v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/gcp_compliance
Overview
12Dashboards
536Controls
201Queries
2Variables
GitHub

Control: 6.1.1 Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges

Description

It is recommended to set a password for the administrative user (root by default) to prevent unauthorized access to the SQL database instances. This recommendation is applicable only for MySQL Instances*. PostgreSQL does not offer any setting for No Password from the cloud console.

At the time of MySQL Instance creation, not providing an administrative password allows anyone to connect to the SQL database instance with administrative privileges. The root password should be set to ensure only authorized users have these privileges.

Remediation

From Console:

  1. Login to GCP console and navigate to Cloud SQL Instances.
  2. Select the instance to open its Overview page.
  3. From left navigation pane, select Users.
  4. Click the 3-dots icon for the user to be updated.
  5. Select Change password, specify a new password, and click OK.

From Command Line:

  1. Set a password to a MySql instance:
gcloud sql users set-password [USER_NAME] [HOST] --instance=[INSTANCE_NAME] - -password=[PASSWORD]
  1. A prompt will appear, requiring the user to enter a password:
Instance Password:
  1. With a successful password configured, the following message should be seen:
Updating Cloud SQL user...done.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v130_6_1_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v130_6_1_1 --share

SQL

This control uses a named query:

manual_control

Tags

benchmark = cis
category = Compliance
cis_item_id = 6.1.1
cis_level = 1
cis_section_id = 6.1
cis_type = automated
cis_version = v1.3.0
plugin = gcp
service = GCP/SQL