turbot/gcp_compliance

Control: 6.5 Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses

Description

Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from the world.

To minimize attack surface on a Database server instance, only trusted/known and required IP(s) should be white-listed to connect to it.

An authorized network should not have IPs/networks configured to 0.0.0.0/0 which will allow access to the instance from anywhere in the world. Note that authorized networks apply only to instances with public IPs.

Remediation

From Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Click the instance name to open its Instance details page.
  3. Under the Configuration section click Edit configurations
  4. Under Configuration options expand the Connectivity section.
  5. Click the delete icon for the authorized network 0.0.0.0/0.
  6. Click Save to update the instance.

From Command Line

Update the authorized network list by dropping off any addresses

gcloud sql instances patch INSTANCE_NAME --authorizednetworks=IP_ADDR1,IP_ADDR2,...

Prevention

To prevent new SQL instances from being configured to accept incoming connections from any IP addresses, set up a Restrict Authorized Networks on Cloud SQL instances Organization Policy at: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks.

Default Value

By default, authorized networks are not configured. Remote connection to Cloud SQL database instance is not possible unless authorized networks are configured.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v200_6_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v200_6_5 --share

SQL

This control uses a named query:

sql_instance_not_open_to_internet

Tags