Benchmark: SQL
Description
This benchmark provides a set of controls that detect Terraform GCP Cloud SQL resources deviating from security best practices.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-terraform-gcp-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select SQL.
Run this benchmark in your terminal:
powerpipe benchmark run terraform_gcp_compliance.benchmark.sqlSnapshot and share results via Turbot Pipes:
powerpipe benchmark run terraform_gcp_compliance.benchmark.sql --shareControls
- Ensure that Cloud SQL database instances are configured with automated backups
- Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'
- Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'
- Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'
- Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
- Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
- Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'
- Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
- Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately
- Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'
- Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)
- GCP SQL PostgreSQL instance should have log_min_error_statement database flag set to ERROR or lower
- GCP SQL PostgreSQL instance should have log_min_messages database flag set to a valid value
- Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
- Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
- GCP SQL PostgreSQL instance should log SQL statements
- Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
- Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0'
- GCP SQL PostgreSQL instance should have pgaudit database flag set to 'on'
- GCP SQL instance should not be publicly accessible
- Ensure that the Cloud SQL database instance requires all incoming connections to use SSL
- Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'
- Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
- Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
- Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
- Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
- Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
- GCP SQL instance should not have public IP address
- GCP SQL instance should be using latest major database version