Ensure that "Restrict Public IP access on Cloud SQL instances" policy is enforced for your Google Cloud organizations. Due to strict security and compliance regulations, you can't allow GCP members to configure security-critical database instances with public IPs.
For security-critical cloud environments which due to regulatory requirements cannot allow members (users or administrators) to configure database instances with public IPs, enable "Restrict Public IP access on Cloud SQL instances" ("sql.restrictPublicIp") constraint policy. For highly sensitive workloads, the access to the SQL database instances can be made only through private IP addresses or Google Cloud SQL Proxy.
Audit
To determine if "Restrict Public IP access on Cloud SQL instances" policy is enforced at the GCP organization level, perform the following actions:
Remediation / Resolution
To ensure that configuring public IP addresses for Cloud SQL database instances is disabled at the GCP organization level, enable “Restrict Public IP access on Cloud SQL instances” organization policy by performing the following actions:
References
- Google Cloud Platform (GCP) Documentation
- Authorizing with authorized networks
- Connection organization policies
- Organization policy constraints
- GCP Command Line Interface (CLI) Documentation
- gcloud organizations list
- gcloud alpha resource-manager org-policies describe
- gcloud alpha resource-manager org-policies enable-enforce
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Restrict Public IP Access for Cloud SQL Instances at Organization Level
Risk Level: Medium