Control: 6.5 Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses
Description
Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from the world.
To minimize attack surface on a Database server instance, only trusted/known and required IP(s) should be white-listed to connect to it.
An authorized network should not have IPs/networks configured to 0.0.0.0/0
which will allow access to the instance from anywhere in the world. Note that authorized networks apply only to instances with public IPs.
Remediation
From Console
- Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
- Click the instance name to open its
Instance details
page. - Under the
Configuration
section clickEdit configurations
- Under
Configuration options
expand theConnectivity
section. - Click the
delete
icon for the authorized network0.0.0.0/0
. - Click
Save
to update the instance.
From Command Line
Update the authorized network list by dropping off any addresses
gcloud sql instances patch INSTANCE_NAME --authorizednetworks=IP_ADDR1,IP_ADDR2,...
Prevention
To prevent new SQL instances from being configured to accept incoming connections from any IP addresses, set up a Restrict Authorized Networks on Cloud SQL instances
Organization Policy at: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks.
Default Value
By default, authorized networks are not configured. Remote connection to Cloud SQL database instance is not possible unless authorized networks are configured.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v200_6_5
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v200_6_5 --share
SQL
This control uses a named query:
sql_instance_not_open_to_internet