Control: 6.6 Ensure that Cloud SQL database instances do not have public IPs

Description

It is recommended to configure Second Generation SQL instance to use private IPs instead of public IPs.

To lower the organization's attack surface, Cloud SQL databases should not have public IPs. Private IPs provide improved network security and lower latency for your application.

Remediation

This recommendation is applicable for PostgreSQL, MySQL generation 1, MySQL generation 2 and SQL Server 2017 instances.

From Console

Login in to Cloud SQL Instances
Select the SQL Server instance to open details page.
Select the Connections tab.
Deselect the Public IP checkbox.
Click Save to update the instance.

From Command Line

For every instance remove its public IP and assign a private IP instead:

gcloud beta sql instances patch INSTANCE_NAME --network=VPC_NETWOR_NAME --noassign-ip

Confirm the changes using the following command:

gcloud sql instances describe INSTANCE_NAME

Note: By default, Cloud SQL instances have a public IP.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v130_6_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v130_6_6 --share

SQL

This control uses a named query:

select
  self_link resource,
  case
    when ip_addresses @> '[{"type": "PRIMARY"}]' and backend_type = 'SECOND_GEN' then 'alarm'
    else 'ok'
  end as status,
  case
    when ip_addresses @> '[{"type": "PRIMARY"}]' and backend_type = 'SECOND_GEN'
      then title || ' associated with public IPs.'
    else title || ' not associated with public IPs.'
  end as reason
  
  , location as location, project as project
from
  gcp_sql_database_instance;