Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Publicly Accessible Cloud SQL Database Instances

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CloudSQL-015

Ensure that your Google Cloud SQL database instances are configured to accept connections from trusted networks and IP addresses only.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

When an SQL database instance authorized network is configured to allow public access (i.e. 0.0.0.0/0), any IPv4 client can bypass the network firewall and perform login attempts to that instance (clients still need valid credentials to successfully log in to your database). To minimize the attack surface on SQL databases and their applications, only trusted and required IPs and networks should be whitelisted for login access.

Audit

To determine if your Cloud SQL database instances are configured to allow access to anyone on the Internet, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud SQL console available at https://console.cloud.google.com/sql/instances.

04 Click on the name (link) of the database instance that you want to examine.

05 In the navigation panel, select Connections to access the connectivity configuration information available for the selected database instance.

06 Select the NETWORKING tab and verify the Public IP setting status. If the Public IP setting is enabled, check the Authorized networks section for any authorized networks configured to allow access to anyone on the Internet (i.e. 0.0.0.0/0). If there are any authorized networks with the Network configuration field set to 0.0.0.0/0, the selected Google Cloud SQL database instance is publicly accessible.

07 Repeat steps no. 4 – 6 for each Cloud SQL database instances available within the selected GCP project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project identifiers: 

PROJECT_ID
cc-mobile-project-123123
cc-ml-app-project-123123

03 Run sql instances list command (Windows/macOS/Linux) with custom filtering to describe the name of each Cloud SQL database instance provisioned for the selected Google Cloud project: 

gcloud sql instances list
  --project cc-mobile-project-123123
  --format="(NAME)"

04 The command output should return the requested database instance name(s): 

NAME
cc-mobile-db-instance
cc-web-int-db-instance

05 Run sql instances describe command (Windows/macOS/Linux) using the name of the Cloud SQL database instance that you want to examine as the identifier parameter, to determine if the selected instance is configured to use an external, Internet-accessible IP address: 

gcloud sql instances describe cc-mobile-db-instance 
  --format=json | jq '.settings.ipConfiguration.ipv4Enabled'

06 The command output should return the requested configuration information: 

true

If the command output returns true, the selected database instance is configured with a public IP address and you can continue the Audit process with the next step.

07 Run sql instances describe command (Windows/macOS/Linux) using the name of the Cloud SQL database instance that you want to examine as the identifier parameter and custom output filtering to describe the IPv4 address/IPv4 range of the authorized network(s) configured for the selected instance: 

gcloud sql instances describe cc-mobile-db-instance
  --format=json | jq '.settings.ipConfiguration.authorizedNetworks[].value'

08 The command output should return the requested authorized network(s) details: 

"0.0.0.0/0"

If the sql instances describe command output contains "0.0.0.0/0", there is at least one authorized network that allows database access to anyone on the Internet (i.e. 0.0.0.0/0), therefore, the selected Google Cloud SQL database instance is publicly accessible.

09 Repeat steps no. 5 - 8 for each Cloud SQL database instances provisioned within the selected GCP project.

10 Repeat steps no. 3 – 9 for each project available within your Google Cloud account.

Remediation / Resolution

To restrict public access to your Google Cloud SQL database instances by updating their authorized network configuration, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud SQL console available at https://console.cloud.google.com/sql/instances.

04 Click on the name (link) of the database instance that you want to configure.

05 In the navigation panel, select Connections to access the connectivity configuration information available for the selected database instance.

06 Select the NETWORKING tab and perform the following operations in the Authorized networks section:

  1. Delete the authorized network configured to allow access to anyone on the Internet, i.e. 0.0.0.0/0, by clicking the delete button (bin icon) available on the authorized network header.
  2. If required, choose ADD A NETWORK to configure a new authorized network for the selected instance. On the New network setup panel, in the Network box, enter the IP address or IP address range you want to allow connections from. The authorized IP address/IP range must use the CIDR format (e.g. 10.50.51.5/32). Optionally, enter a name for the new entry in the Name box. Choose DONE to close the configuration panel.
  3. Choose SAVE to apply the changes.

07 Repeat steps no. 4 – 6 for each Cloud SQL database instance that you want to configure, available within the selected GCP project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

Using GCP CLI

01 To replace the non-complaint authorized network with a secure and trusted one, run sql instances patch command (Windows/macOS/Linux) using the trusted IP address you want to allow connections from, as value of the --authorized-networks configuration parameter (CIDR format). IMPORTANT: When adding new authorized networks, make sure to also include any trusted IP addresses that have been already authorized, otherwise, the existing ones will be overwritten and de-authorized: 

gcloud sql instances patch cc-mobile-db-instance
  --authorized-networks="xxx.xxx.xxx.xxx/xx"

02 Type Y and press Enter to confirm the instance configuration change: 

When adding a new IP address to authorized networks, make sure to also include any IP addresses that have already been authorized. Otherwise, they will be overwritten and de-authorized. 
Do you want to continue (Y/n)? Y

03 The output should return the sql instances patch command request status: 

The following message will be used for the patch API method.
{"name": "cc-mobile-db-instance", "project": "cc-mobile-project-123123", "settings": {"ipConfiguration": {"authorizedNetworks": [{"value": "xxx.xxx.xxx.xxx/xx"}]}}}
Patching Cloud SQL instance...done.
Updated [https://sqladmin.googleapis.com/sql/v1beta4/projects/cc-mobile-project-123123/instances/cc-mobile-db-instance].

04 Repeat steps no. 1 – 3 for each Cloud SQL database instance that you want to configure, provisioned for the selected GCP project.

05 Repeat steps no. 1 – 4 for each project created within your Google Cloud account.

References

Publication date Apr 12, 2021

Related CloudSQL rules