Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-compliance
Overview
12Dashboards
536Benchmarks
201Queries
2Variables
GitHub

Control: Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'

Description

It is recommended to set contained database authentication database flag for Cloud SQL on the SQL Server instance is set to off.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.sql_instance_sql_contained_database_authentication_database_flag_off

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.sql_instance_sql_contained_database_authentication_database_flag_off --share

SQL

This control uses a named query:

select
  self_link resource,
  case
    when database_version not like 'SQLSERVER%' then 'skip'
    when database_flags @> '[{"name":"contained database authentication","value":"off"}]' then 'ok'
    else 'alarm'
  end as status,
  case
    when database_version not like 'SQLSERVER%'
      then title || ' not a SQL Server database.'
    when database_flags is null or not (database_flags @> '[{"name":"contained database authentication"}]')
      then title || ' ''contained database authentication'' not set.'
    when database_flags @> '[{"name":"contained database authentication","value":"off"}]'
      then title || ' ''contained database authentication'' database flag set to ''off''.'
    else title || ' ''contained database authentication'' database flag set to ''on''.'
  end as reason
  
  , location as location, project as project
from
  gcp_sql_database_instance;

Tags

category = Compliance
hipaa = true
nist_800_53_rev_5 = true
nist_csf_v10 = true
plugin = gcp
service = GCP/SQL
soc_2_2017 = true