🛡️ Google Cloud SQL Instance Automated Backups are not configured🟢

• Contextual name: 🛡️ Instance Automated Backups are not configured🟢
• ID: /ce/ca/google/sql/instance-backup
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google Cloud SQL Instance
  • 🔌 Google Cloud SQL Instance - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Enable Automated Backups for Cloud SQL Database Instances

Description

Open File

Description

It is recommended to have all SQL database instances set to enable automated backups.

Rationale

Backups provide a way to restore a Cloud SQL instance to recover lost data or recover from a problem with that instance. Automated backups need to be set for any instance that contains data that should be protected from loss or damage. This recommendation is applicable for SQL Server, PostgreSQL, MySQL generation 1, and MySQL generation 2 instances.

Impact

Automated backups increase the required storage size and associated costs.

Audit

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
2. Click the instance name to open its instance details page.
3. Go to the Backups menu.
4. Ensure that Automated backups is set to Enabled and Backup time is mentioned.

From Google Cloud CLI

1. List all Cloud SQL database instances using the following command:

   gcloud sql instances list \
       --format=json | jq '. | map(select(.instanceType != "{{read-replica-instance}}")) | .[].name'

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
2. Select the instance where the backups need to be configured.
3. Click Edit.
4. In the Backups section, check Enable automated backups, and choose a backup window.
5. Click Save.

From Google Cloud CLI

1. List all Cloud SQL database instances using the following command:

   gcloud sql instances list \
       --format=json | jq '. | map(select(.instanceType != "{{read-replica-instance}}")) | .[].name'

   NOTE: gcloud command has been added with the filter to exclude read-replicas instances, as GCP do not provide Automated Backups for read-replica instances.

2. Enable Automated backups for every Cloud SQL database instance using the below command:

   gcloud sql instances patch {{instance-name}} \
       --backup-start-time {{backup-start-time}}

   The backup-start-time parameter is specified in 24-hour time, in the UTC±00 time zone, and specifies the start of a 4-hour backup window. Backups can start any time during the backup window.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.2.0 → 💼 6.7 Ensure that Cloud SQL database instances are configured with automated backups - Level 1 (Automated)			1		no data
💼 CIS GCP v1.3.0 → 💼 6.7 Ensure That Cloud SQL Database Instances Are Configured With Automated Backups - Level 1 (Automated)			1		no data
💼 CIS GCP v2.0.0 → 💼 6.7 Ensure That Cloud SQL Database Instances Are Configured With Automated Backups - Level 1 (Automated)			1		no data
💼 CIS GCP v3.0.0 → 💼 6.7 Ensure That Cloud SQL Database Instances Are Configured With Automated Backups - Level 1 (Automated)			1		no data
💼 CIS GCP v4.0.0 → 💼 6.7 Ensure That Cloud SQL Database Instances Are Configured With Automated Backups - Level 1 (Automated)			1		no data
💼 Cloudaware Framework → 💼 System Configuration			61		no data
💼 FedRAMP High Security Controls → 💼 CP-9 System Backup (L)(M)(H)	5	4	16		no data
💼 FedRAMP High Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	2		21		no data
💼 FedRAMP Low Security Controls → 💼 CP-9 System Backup (L)(M)(H)			14		no data
💼 FedRAMP Low Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)			21		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-9 System Backup (L)(M)(H)	2		16		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	1		21		no data
💼 ISO/IEC 27001:2013 → 💼 A.12.3.1 Information backup		1	2		no data
💼 ISO/IEC 27001:2022 → 💼 8.13 Information backup		1	3		no data
💼 NIST CSF v1.1 → 💼 PR.IP-4: Backups of information are conducted, maintained, and tested		5	10		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			196		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			197		no data
💼 NIST CSF v2.0 → 💼 PR.DS-11: Backups of data are created, protected, maintained, and tested			18		no data
💼 NIST CSF v2.0 → 💼 RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process			21		no data
💼 NIST CSF v2.0 → 💼 RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed			21		no data
💼 NIST CSF v2.0 → 💼 RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration			10		no data
💼 NIST CSF v2.0 → 💼 RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed			21		no data
💼 NIST SP 800-53 Revision 4 → 💼 CP-9 INFORMATION SYSTEM BACKUP	7		1		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-9 System Backup	8		12		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-10 System Recovery and Reconstitution	6		21		no data