🛡️ Google Cloud SQL Instance IAM Database Authentication is not enabled🟢

• Contextual name: 🛡️ Cloud SQL Instance IAM Database Authentication is not enabled🟢
• ID: /ce/ca/google/sql/instance-iam-database-authentication
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google Cloud SQL Instance
  • 🔌 Google Cloud SQL Instance - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

This policy checks whether IAM database authentication is enabled for Google Cloud SQL for MySQL and PostgreSQL instances. IAM database authentication allows users and applications to authenticate with IAM principals and short-lived tokens instead of static database passwords.

Rationale

IAM database authentication centralizes access control in Google Cloud IAM and reduces the need to distribute and rotate static database passwords. It also improves attribution because database access can be tied to user accounts and service accounts.

Impact

Applications and users may need connection changes to use IAM database authentication. Existing password-based database users should be reviewed and migrated carefully to avoid service interruption.

Audit

This policy flags a Google Cloud SQL Instance as INCOMPLIANT when the instance is a MySQL or PostgreSQL instance and IAM database authentication is not enabled.

For PostgreSQL instances, the cloudsql.iam_authentication database flag must be set to on.

... see more

Remediation

Open File

Remediation

From Google Cloud CLI

1. For PostgreSQL instances, enable IAM database authentication:

   gcloud sql instances patch {{instance-name}} \
       --database-flags=cloudsql.iam_authentication=on

2. For MySQL instances, enable IAM database authentication:

   gcloud sql instances patch {{instance-name}} \
       --database-flags=cloudsql_iam_authentication=on

   Note: Setting database flags with gcloud sql instances patch can overwrite existing flags. Include all existing database flags that must remain configured.

3. Create IAM-authenticated database users as needed:

   gcloud sql users create {{principal}} \
       --instance={{instance-name}} \
       --type=CLOUD_IAM_USER

4. Grant required database privileges and Google Cloud IAM roles, including roles/cloudsql.client and roles/cloudsql.instanceUser, to the connecting principals.

5. Test application and user connections before removing password-based access.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v5.0.0 → 💼 6.6 Ensure Cloud SQL Database Instances Have IAM Database Authentication Enabled - Level 1 (Manual)			1		no data
💼 Cloudaware Framework → 💼 Secure Access			61		no data