🛡️ Google Cloud SQL Instance Automated Backups are not configured🟢

• Contextual name: 🛡️ Instance Automated Backups are not configured🟢
• ID: /ce/ca/google/sql/instance-backup
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google Cloud SQL Instance
  • 🔌 Google Cloud SQL Instance - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Enable Automated Backups for Cloud SQL Database Instances

Description

Open File

Description

It is recommended to have all SQL database instances set to enable automated backups.

Rationale

Backups provide a way to restore a Cloud SQL instance to recover lost data or recover from a problem with that instance. Automated backups need to be set for any instance that contains data that should be protected from loss or damage. This recommendation is applicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2 instances.

Impact

Automated Backups will increase required size of storage and costs associated with it.

Audit

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
2. Click the instance name to open its instance details page.
3. Go to the Backups menu.
4. Ensure that Automated backups is set to Enabled and Backup time is mentioned.

From Google Cloud CLI

1. List all Cloud SQL database instances using the following command:

gcloud sql instances list --format=json | jq '. | map(select(.instanceType != "READ_REPLICA_INSTANCE")) | .[].name'

... [see more](description.md)

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
2. Select the instance where the backups need to be configured.
3. Click Edit.
4. In the Backups section, check Enable automated backups, and choose a backup window.
5. Click Save.

From Google Cloud CLI

1. List all Cloud SQL database instances using the following command:

        gcloud sql instances list --format=json | jq '. | map(select(.instanceType != "READ_REPLICA_INSTANCE")) | .[].name'

NOTE: gcloud command has been added with the filter to exclude read-replicas instances, as GCP do not provide Automated Backups for read-replica instances. 2. Enable Automated backups for every Cloud SQL database instance using the below command:

        gcloud sql instances patch <INSTANCE_NAME> --backup-start-time <[HH:MM]>

The backup-start-time parameter is specified in 24-hour time, in the UTC±00 time zone, and specifies the start of a 4-hour backup window. Backups can start any time during the backup window.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.2.0 → 💼 6.7 Ensure that Cloud SQL database instances are configured with automated backups - Level 1 (Automated)			1		no data
💼 CIS GCP v1.3.0 → 💼 6.7 Ensure That Cloud SQL Database Instances Are Configured With Automated Backups - Level 1 (Automated)			1		no data
💼 CIS GCP v2.0.0 → 💼 6.7 Ensure That Cloud SQL Database Instances Are Configured With Automated Backups - Level 1 (Automated)			1		no data
💼 CIS GCP v3.0.0 → 💼 6.7 Ensure That Cloud SQL Database Instances Are Configured With Automated Backups - Level 1 (Automated)			1		no data
💼 Cloudaware Framework → 💼 System Configuration			45		no data
💼 FedRAMP High Security Controls → 💼 CP-9 System Backup (L)(M)(H)	5	4	10		no data
💼 FedRAMP High Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	2		12		no data
💼 FedRAMP Low Security Controls → 💼 CP-9 System Backup (L)(M)(H)			9		no data
💼 FedRAMP Low Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)			12		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-9 System Backup (L)(M)(H)	2		10		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	1		12		no data
💼 ISO/IEC 27001:2013 → 💼 A.12.3.1 Information backup			1		no data
💼 ISO/IEC 27001:2022 → 💼 8.13 Information backup		1	2		no data
💼 NIST CSF v1.1 → 💼 PR.IP-4: Backups of information are conducted, maintained, and tested		4	8		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			148		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			142		no data
💼 NIST CSF v2.0 → 💼 PR.DS-11: Backups of data are created, protected, maintained, and tested			12		no data
💼 NIST CSF v2.0 → 💼 RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process			12		no data
💼 NIST CSF v2.0 → 💼 RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed			12		no data
💼 NIST CSF v2.0 → 💼 RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration			6		no data
💼 NIST CSF v2.0 → 💼 RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed			12		no data
💼 NIST SP 800-53 Revision 4 → 💼 CP-9 INFORMATION SYSTEM BACKUP	7		1		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-9 System Backup	8		7		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-10 System Recovery and Reconstitution	6		12		no data