turbot/gcp_compliance

Control: 6.1.1 Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges

Description

It is recommended to set a password for the administrative user (root by default) to prevent unauthorized access to the SQL database instances.

This recommendation is applicable only for MySQL Instances. PostgreSQL does not offer any setting for No Password from the cloud console.

At the time of MySQL Instance creation, not providing an administrative password allows anyone to connect to the SQL database instance with administrative privileges. The root password should be set to ensure only authorized users have these privileges.

Remediation

From Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console using https://console.cloud.google.com/sql/.
  2. Select the instance to open its Overview page.
  3. Select Access Control > Users.
  4. Click the More actions icon for the user to be updated.
  5. Select Change password, specify a New password, and click OK.

From Command Line

  1. Set a password to a MySql instance:
gcloud sql users set-password root --host=<host> --instance=<instance_name> --prompt-for-password
  1. A prompt will appear, requiring the user to enter a password:
Instance Password:
  1. With a successful password configured, the following message should be seen:
Updating Cloud SQL user...done.

Default Value

From the Google Cloud Platform Console, the Create Instance workflow enforces the rule to enter the root password unless the option No Password is selected explicitly.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v300_6_1_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v300_6_1_1 --share

SQL

This control uses a named query:

manual_control

Tags