Restrict Authorized Networks on Cloud SQL instances

Risk Level: Medium (should be achieved)

Ensure that "Restrict Authorized Networks on Cloud SQL instances" policy is enforced for your Google Cloud Platform (GCP) organization to deny IAM members to add authorized networks in order to provide access to your security-critical SQL database instances.

Security

By default, authorized networks can be added to any Cloud SQL database instance. The "sql.restrictAuthorizedNetworks" constraint, implemented by the "Restrict Authorized Networks on Cloud SQL instances" organization policy, restricts adding authorized networks for unproxied database access to Cloud SQL instances where the constraint is set to True. This boolean constraint is not retroactive, Cloud SQL database instances with existing authorized networks will still work as expected even after the constraint is enforced.

Audit

To determine if "Restrict Authorized Networks on Cloud SQL instances" policy is enabled for your GCP organization, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the list with the cloud organization policies available for your GCP organization.

05 Click inside the Filter by policy name or ID filter box, select Restrict Authorized Networks on Cloud SQL instances to return only the “Restrict Authorized Networks on Cloud SQL instances” organization policy.

06 Click on the name of the GCP organization policy returned at the previous step.

07 On the Policy details page, under Effective policy, check the Enforcement configuration attribute status. If the Enforcement attribute status is set to Not enforced, the policy is not enforced within your organization, therefore the restriction of adding authorized networks for Cloud SQL database instances is not enabled for the selected Google Cloud organization.

08 Repeat steps no. 2 – 7 for each organization available in in your Google Cloud account.

Using GCP CLI

01 Run organizations list command (Windows/macOS/Linux) using custom query filters to list the ID of each GCP organization created within your Google Cloud account:

gcloud organizations list
  --format="table(name)"

02 The command output should return the requested organization identifiers (IDs):

ID
112233441122
123412341234

03 Run resource-manager org-policies describe command (Windows/macOS/Linux) using the ID of the GCP organization that you want to reconfigure as identifier parameter, to describe the enforcement configuration of the “Restrict Authorized Networks on Cloud SQL instances” policy (i.e. "sql.restrictAuthorizedNetworks"), available for the selected organization:

gcloud alpha resource-manager org-policies describe
"sql.restrictAuthorizedNetworks"
  --effective
  --organization=112233441122
  --format="table(booleanPolicy)"

04 The command request should return the requested configuration information:

BOOLEAN_POLICY
{}

If the resource-manager org-policies describe command output returns an empty object for the BOOLEAN_POLICY configuration attribute, as shown in the example above, the “Restrict Authorized Networks on Cloud SQL instances” policy is not enforced at the organization level, therefore the restriction of adding authorized networks for Cloud SQL database instances is not enabled for the selected Google Cloud organization.

05 Repeat step no. 3 and 4 for each organization created within in your Google Cloud account.

Remediation / Resolution

To ensure that adding authorized networks for Cloud SQL database instances is disabled within your Google Cloud organization, enable the “Restrict Authorized Networks on Cloud SQL instances” organization policy by performing the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to reconfigure.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the list with the cloud organization policies available for your GCP organization.

05 Click inside the Filter by policy name or ID box, select Name and Restrict Authorized Networks on Cloud SQL instances to list only the “Restrict Authorized Networks on Cloud SQL instances” policy.

06 Click on the name of the GCP organization policy listed at the previous step.

07 On the Policy details page, click on the EDIT button from the dashboard top menu to edit the selected policy.

08 On the Edit policy configuration page, perform the following actions:

Under Applies to, select Customize to choose the type of the policy to apply (i.e. customized policy).
Under Enforcement, select On to enforce policy constraint. This constraint disables the creation of authorized networks for the Cloud SQL database instances provisioned in the selected Google Cloud organization.
Click SAVE to apply the changes and enforce the “Restrict Authorized Networks on Cloud SQL instances” policy constraints.

09 If required, repeat steps no. 2 – 8 to enable the policy for other organizations available in your Google Cloud account.

Using GCP CLI

01 Run resource-manager org-policies enable-enforce command (Windows/macOS/Linux) using the ID of the Google Cloud Platform (GCP) organization that you want to reconfigure as identifier parameter, to enforce the “Restrict Authorized Networks on Cloud SQL instances” policy (i.e. "sql.restrictAuthorizedNetworks") for the selected GCP organization:

gcloud alpha resource-manager org-policies enable-enforce
"sql.restrictAuthorizedNetworks"
  --organization=112233441122

02 The command request should return the reconfigured organization policy metadata:

booleanPolicy:
  enforced: true
constraint: constraints/sql.restrictAuthorizedNetworks
etag: aabbccddabcd
updateTime: '2020-07-17T10:00:00.000Z'

03 If required, repeat step no. 1 and 2 to enforce the policy for other GCP organizations created within your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
Authorizing with authorized networks
Connection organization policies
Organization policy constraints

GCP Command Line Interface (CLI) Documentation
organizations
gcloud alpha resource-manager org-policies describe
gcloud alpha resource-manager org-policies enable-enforce

Publication date May 4, 2021

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related ResourceManager rules