Control: 6.4 Ensure that the Cloud SQL database instance requires all incoming connections to use SSL

Description

It is recommended to enforce all incoming connections to SQL database instance to use SSL.

SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance.

Remediation

This recommendation is applicable for PostgreSQL, MySQL generation 1, MySQL generation 2 and SQL Server 2017 instances.

From Console

Login in to Cloud SQL Instances
Click on an instance name to see its configuration overview.
In the left-side panel, select Connections.
In the SSL encryption section, click Allow only SSL connections.
Under Manage server certificates click Create new certificate.
Under Manage client certificates click Create a client certificate.
Follow the instructions shown to learn how to connect to your instance.

From Command Line

To enforce SSL encryption for an instance run the command:

gcloud sql instances patch INSTANCE_NAME --require-ssl

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v130_6_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v130_6_4 --share

SQL

This control uses a named query:

select
  self_link resource,
  case
    when ip_configuration -> 'requireSsl' is null then 'alarm'
    else 'ok'
  end as status,
  case
    when ip_configuration -> 'requireSsl' is null
      then title || ' does not enforce SSL connections.'
    else title || ' enforces SSL connections.'
  end as reason
  
  , location as location, project as project
from
  gcp_sql_database_instance;