🛡️ Google Cloud SQL Instance Deletion Protection is not enabled🟢⚪
- Contextual name: 🛡️ Cloud SQL Instance Deletion Protection is not enabled🟢⚪
- ID:
/ce/ca/google/sql/instance-deletion-protection - Tags:
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
RELIABILITY
Description
Description
Enable deletion protection on Cloud SQL instances that store production or otherwise important data. Deletion protection requires the setting to be explicitly disabled before an instance can be deleted.
Rationale
Cloud SQL instances without deletion protection can be deleted accidentally or by an actor with sufficient permissions. Requiring an explicit disable step reduces the risk of unintended data loss and improves resilience for critical databases.
Impact
Deletion protection does not affect database performance or availability. Administrators must disable deletion protection before intentionally deleting an instance.
Audit
From Google Cloud CLI
List Cloud SQL instances and their deletion protection setting:
gcloud sql instances list \
--format="table(name,settings.deletionProtectionEnabled)"For each instance, verify that deletion protection is enabled:
gcloud sql instances describe {{instance-name}} \
--format="value(settings.deletionProtectionEnabled)"... see more
Remediation
Remediation
From Google Cloud CLI
To enable deletion protection on an existing Cloud SQL instance, run:
gcloud sql instances patch {{instance-name}} \
--deletion-protectionTo enable deletion protection when creating a new Cloud SQL instance, include
--deletion-protectionin thegcloud sql instances createcommand.
policy.yaml
Linked Framework Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 CIS GCP v5.0.0 → 💼 6.9 Ensure Cloud SQL Database Instances Have Deletion Protection Enabled - Level 1 (Manual) | 1 | no data | |||
| 💼 Cloudaware Framework → 💼 Data Protection and Recovery | 26 | no data |