Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-compliance
Overview
14Dashboards
621Benchmarks
202Queries
2Variables
GitHub

Control: 6.5 Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses

Description

Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from public IP addresses.

To minimize attack surface on a Database server instance, only trusted/known and required IP(s) should be white-listed to connect to it.

An authorized network should not have IPs/networks configured to 0.0.0.0/0 which will allow access to the instance from anywhere in the world. Note that authorized networks apply only to instances with public IPs.

Remediation

From Google Cloud Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.

  2. Click the instance name to open its Instance details page.

  3. Under the Configuration section click Edit configurations.

  4. Under Configuration options expand the Connectivity section.

  5. Click the delete icon for the authorized network 0.0.0.0/0.

  6. Click Save to update the instance.

From Google Cloud CLI

Update the authorized network list by dropping off any addresses.

gcloud sql instances patch <INSTANCE_NAME> --authorized-networks=IP_ADDR1,IP_ADDR2...

Prevention:

To prevent new SQL instances from being configured to accept incoming connections from any IP addresses, set up a Restrict Authorized Networks on Cloud SQL instances Organization Policy at: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks.

Default Value

By default, authorized networks are not configured. Remote connection to Cloud SQL database instance is not possible unless authorized networks are configured.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v400_6_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v400_6_5 --share

SQL

This control uses a named query:

select
  self_link as resource,
  case
    when exists (
      select 1
      from jsonb_array_elements(ip_configuration -> 'authorizedNetworks') as authNet
      where authNet ->> 'value' = '0.0.0.0/0' or authNet ->> 'value' = '::/0'
    ) then 'alarm'
    else 'ok'
  end as status,
  case
    when exists (
      select 1
      from jsonb_array_elements(ip_configuration -> 'authorizedNetworks') as authNet
      where authNet ->> 'value' = '0.0.0.0/0' or  authNet ->> 'value' = '::/0'
    ) then title || ' is open to the internet.'
    else title || ' is not open to the internet.'
  end as reason
  
  , location as location, project as project
from
  gcp_sql_database_instance;

Tags

benchmark = cis
category = Compliance
cis_item_id = 6.5
cis_level = 1
cis_section_id = 6
cis_type = automated
cis_version = v4.0.0
plugin = gcp
service = GCP