Control: 6.6 Ensure that Cloud SQL database instances do not have public IPs
Description
It is recommended to configure Second Generation SQL instance to use private IPs instead of public IPs.
To lower the organization's attack surface, Cloud SQL databases should not have public IPs. Private IPs provide improved network security and lower latency for your application.
Remediation
From Console
- Go to the Cloud SQL Instances page in the Google Cloud Console: https://console.cloud.google.com/sql/instances
- Click the instance name to open its Instance details page.
- Select the
Connections
tab. - Deselect the
Public IP
checkbox. - Click
Save
to update the instance.
From Command Line
- For every instance remove its public IP and assign a private IP instead:
gcloud beta sql instances patch INSTANCE_NAME --network=VPC_NETWOR_NAME --noassign-ip
- Confirm the changes using the following command:
gcloud sql instances describe INSTANCE_NAME
Prevention
To prevent new SQL instances from getting configured with public IP addresses, set up a Restrict Public IP access on Cloud SQL instances
Organization policy at: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp.
Default Value
By default, Cloud SQL instances have a public IP.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v200_6_6
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v200_6_6 --share
SQL
This control uses a named query:
sql_instance_with_no_public_ips