
Control: 6.2.8 Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)


The log_min_duration_statement flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that log_min_duration_statement is disabled, i.e., a value of -1 is set.

Logging SQL statements may include sensitive information that should not be recorded in logs. This recommendation is applicable to PostgreSQL database instances.


From Console:

  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Select the PostgreSQL instance where the database flag needs to be enabled.
  3. Click Edit.
  4. Scroll down to the Flags section.
  5. To set a flag that has not been set on the instance before, click Add item, choose the flag log_min_duration_statement from the drop-down menu and set a value of -1.
  6. Click Save.
  7. Confirm the changes under Flags on the Overview page.

From Command Line:

  1. List all Cloud SQL database instances using the following command:
gcloud sql instances list
  1. Configure the log_min_duration_statement flag for every Cloud SQL PosgreSQL database instance using the below command:
gcloud sql instances patch <INSTANCE_NAME> --database-flags log_min_duration_statement=-1

Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").


Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v130_6_2_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v130_6_2_8 --share


This control uses a named query:

self_link resource,
when database_version not like 'POSTGRES%' then 'skip'
when database_flags @> '[{"name":"log_min_duration_statement","value":"-1"}]' then 'ok'
else 'alarm'
end as status,
when database_version not like 'POSTGRES%'
then title || ' not a PostgreSQL database.'
when database_flags is null or not (database_flags @> '[{"name":"log_min_duration_statement"}]')
then title || ' ''log_min_duration_statement'' database flag not set.'
when database_flags @> '[{"name":"log_min_duration_statement","value":"-1"}]'
then title || ' ''log_min_duration_statement'' database flag disabled.'
else title || ' ''log_min_duration_statement'' database flag enabled.'
end as reason
, location as location, project as project
