GCP Cloud SQL database instances have public IPs
Description
To lower the organization's attack surface, Cloud SQL databases should not have public IPs. Private IPs provide improved network security and lower latency for your application. We recommend you configure Second Generation SQL instances to use private IPs instead of public IPs.
Code Example
resource "google_sql_database_instance" "default" {
name = "master-instance"
database_version = "SQLSERVER_2017_STANDARD"
region = "us-central1"
settings {
+ ip_configuration{
+ ipv4_enabled = "false"
}
}
}Remediation
- GCP Console To change the policy using the GCP Console, follow these steps:*
. Log in to the GCP Console at https://console.cloud.google.com.
. Navigate to https://console.cloud.google.com/sql/instances [Cloud SQL Instances].
. Click the instance name to open its *Instance details **page.
. Select * Connections*.
. Clear the * Public IP* checkbox.
. To update the instance, click * Save*.
- CLI Command*
. For every instance remove its public IP and assign a private IP instead: `gcloud beta sql instances patch INSTANCE_NAME --network=VPC_NETWOR_NAME --no- assign-ip`
. Confirm the changes using the following command: `gcloud sql instances describe INSTANCE_NAME` === Fix - Buildtime
Terraform
- Resource: google_sql_database_instance
- Arguments: database_version = "SQLSERVER_* " settings::ip_configuration: by default set to "true"
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0919 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_GCP_60 |