Control: 6.4 Ensure that the Cloud SQL database instance requires all incoming connections to use SSL
Description
It is recommended to enforce all incoming connections to SQL database instance to use SSL.
SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1, MySql generation 2 and SQL Server 2017 instances.
Remediation
From Console
- Go to https://console.cloud.google.com/sql/instances.
- Click on an instance name to see its configuration overview.
- In the left-side panel, select
Connections. - In the
SSL connectionssection,clickAllow only SSL connections. - Under
Configure SSL server certificatesclickCreate new certificate. - Under
Configure SSL client certificatesclickCreate a client certificate. - Follow the instructions shown to learn how to connect to your instance.
From Command Line
- To enforce SSL encryption for an instance run the command:
gcloud sql instances patch INSTANCE_NAME --require-ssl
Note:RESTART is required for type MySQL Generation 1 Instances (backendType: FIRST_GEN) to get this configuration in effect.
Default Value
By default parameter settings: ipConfiguration: requireSsl is not set which is equivalent to requireSsl:false.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v200_6_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v200_6_4 --shareSQL
This control uses a named query:
select self_link resource, case when ip_configuration ->> 'sslMode' = 'ENCRYPTED_ONLY' then 'ok' else 'alarm' end as status, case when ip_configuration ->> 'sslMode' = 'ENCRYPTED_ONLY' then title || ' enforces SSL connections.' else title || ' does not enforce SSL connections.' end as reason , location as location, project as projectfrom gcp_sql_database_instance;