Detection: SQL SSL Certificate Deleted

Overview

Detect when an SQL SSL certificate was deleted. Unauthorized or accidental deletions can weaken database security and expose resources to potential threats. Monitoring these actions ensures secure database configurations and compliance with security policies.

References:

Usage

Run the detection in your terminal:

powerpipe detection run gcp_audit_log_detections.detection.sql_ssl_certificate_deleted

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run gcp_audit_log_detections.detection.sql_ssl_certificate_deleted --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
method_name as operation,
resource_name as resource,
authentication_info.principal_email as actor,
tp_source_ip as source_ip,
tp_index as project,
tp_id as source_id,
-- Create new aliases to preserve original row data
operation as operation_src,
resource as resource_src,
*
exclude operation, resource

from
  gcp_audit_log
where
  method_name ilike 'cloudsql.sslCerts.delete'
  and severity != 'Error'
-- TODO: Do we need to check operation?
-- and (operation_src is null or operation_src.last = true)

order by
  timestamp desc;

Detection: SQL SSL Certificate Deleted

Overview

Usage

SQL

Tags