GCP SQL database is publicly accessible
Description
Cloud SQL is a fully managed relational database service for MySQL, PostgreSQL, and SQL Server. It offers data encryption at rest and in transit, Private connectivity with VPC and user-controlled network access with firewall protection. It is possible to configure Cloud SQL to have a public IPv4 address. This means your cluster can accept connections from specific IP addresses, or a range of addresses, by adding authorized addresses to your instance. We do not recommend this option. We recommend you ensure Cloud SQL Database Instances are not publicly accessible, to help secure against attackers scanning the internet in search of public databases.
Code Example
{
"gcloud --project=[PROJECT_ID] beta sql instances patch [INSTANCE_ID]
--network=[VPC_NETWORK_NAME]
--no-assign-ip",
}Remediation
- GCP Console To change the policy using the GCP Console, follow these steps:*
. Log in to the GCP Console at https://console.cloud.google.com.
. Navigate to the Cloud SQL Instances page.
. Click the instance name to open its Overview page.
. Select the * Connections* tab.
. Select * Private IP* checkbox.
. A drop-down list shows the available networks in your project. + If your project is the service project of a Shared VPC, VPC networks from the host project are also shown. + If you have configured private services access: Select the VPC Network you want to use
. A drop-down shows the IP address range you allocated.
. Click * Connect*.
. Click * Save*. + To let Cloud SQL allocate an IP address for you.
. Select the default VPC network.
. Click * Allocate and connect*.
. Click * Save*.
- CLI Command*
VPC_NETWORK_NAME is the name of your chosen VPC network, for example: my-vpc-network. The --network parameter value is in the format: https://www.googleapis.com/compute/alpha/projects/ [PROJECT_ID]/global/networks/[VPC_NETWORK_NAME]
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0871 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_GCP_11 |