Control: 6.1.1 Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges
Description
It is recommended to set a password for the administrative user (root
by default) to prevent unauthorized access to the SQL database instances.
This recommendation is applicable only for MySQL Instances. PostgreSQL does not offer any setting for No Password from the cloud console.
At the time of MySQL Instance creation, not providing an administrative password allows anyone to connect to the SQL database instance with administrative privileges. The root password should be set to ensure only authorized users have these privileges.
Remediation
From Console
- Go to the Cloud SQL Instances page in the Google Cloud Platform Console using
https://console.cloud.google.com/sql/
. - Select the instance to open its Overview page.
- Select
Access Control > Users
. - Click the
More actions icon
for the user to be updated. - Select
Change password
, specify aNew password
, and clickOK
.
From Command Line
- Set a password to a MySql instance:
gcloud sql users set-password root --host=<host> --instance=<instance_name> --prompt-for-password
- A prompt will appear, requiring the user to enter a password:
Instance Password:
- With a successful password configured, the following message should be seen:
Updating Cloud SQL user...done.
Default Value
From the Google Cloud Platform Console, the Create Instance
workflow enforces the rule to enter the root password unless the option No Password
is selected explicitly.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v300_6_1_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v300_6_1_1 --share
SQL
This control uses a named query:
manual_control