Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-compliance
Overview
12Dashboards
536Benchmarks
201Queries
2Variables
GitHub

Control: 6.5 Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses

Description

Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from the world.

To minimize attack surface on a Database server instance, only trusted/known and required IP(s) should be white-listed to connect to it.

An authorized network should not have IPs/networks configured to 0.0.0.0/0 which will allow access to the instance from anywhere in the world. Note that authorized networks apply only to instances with public IPs.

Remediation

This recommendation is applicable for PostgreSQL, MySQL generation 1, MySQL generation 2 and SQL Server 2017 instances.

From Console

  1. Login in to Cloud SQL Instances
  2. Select the SQL Server instance to open details page.
  3. Under Configuration section
  4. Click on Edit Configurations
  5. In the edit page, navigate to Flags and Parameters section
  6. Under Configuration options expand the Connections section.
  7. Click the delete icon for the authorized network 0.0.0.0/0.
  8. Click Save to update the instance

From Command Line

Update the authorized network list by dropping off any addresses

gcloud sql instances patch INSTANCE_NAME --authorizednetworks=IP_ADDR1,IP_ADDR2,...

Note: By default, authorized networks are not configured. Remote connection to Cloud SQL database instance is not possible unless authorized networks are configured.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v130_6_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v130_6_5 --share

SQL

This control uses a named query:

select
  self_link as resource,
  case
    when exists (
      select 1
      from jsonb_array_elements(ip_configuration -> 'authorizedNetworks') as authNet
      where authNet ->> 'value' = '0.0.0.0/0' or authNet ->> 'value' = '::/0'
    ) then 'alarm'
    else 'ok'
  end as status,
  case
    when exists (
      select 1
      from jsonb_array_elements(ip_configuration -> 'authorizedNetworks') as authNet
      where authNet ->> 'value' = '0.0.0.0/0' or  authNet ->> 'value' = '::/0'
    ) then title || ' is open to the internet.'
    else title || ' is not open to the internet.'
  end as reason
  
  , location as location, project as project
from
  gcp_sql_database_instance;

Tags

benchmark = cis
category = Compliance
cis_item_id = 6.5
cis_level = 1
cis_section_id = 6
cis_type = automated
cis_version = v1.3.0
plugin = gcp
service = GCP