Skip to main content

🛡️ Google Cloud SQL Instance External Authorized Networks whitelists all public IP addresses🟢

  • Contextual name: 🛡️ Instance External Authorized Networks whitelists all public IP addresses🟢
  • ID: /ce/ca/google/sql/instance-public-ip-whitelist
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Stats

not available

Logic

Similar Policies

Description

Open File

Description

Database servers should accept connections only from trusted networks or IPs and restrict access from public IP addresses.

Rationale

To minimize the attack surface on a database server instance, only trusted and required IPs should be allowlisted to connect to it.

An authorized network should not have IPs/networks configured to 0.0.0.0/0 which will allow access to the instance from anywhere in the world. Note that authorized networks apply only to instances with public IPs.

Impact

The Cloud SQL database instance would not be available to public IP addresses.

Audit

From Google Cloud Console
  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Click the instance name to open its Instance details page.
  3. Under the Configuration section click Edit configurations.
  4. Under Configuration options expand the Connectivity section.
  5. Ensure that no authorized network is configured to allow 0.0.0.0/0.
From Google Cloud CLI

... see more

Remediation

Open File

Remediation

From Google Cloud Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Click the instance name to open its Instance details page.
  3. Under the Configuration section click Edit configurations.
  4. Under Configuration options expand the Connectivity section.
  5. Click the delete icon for the authorized network 0.0.0.0/0.
  6. Click Save to update the instance.

From Google Cloud CLI

Update the authorized network list by removing any public addresses.

gcloud sql instances patch {{instance-name}} \
--authorized-networks={{ip-addr1}},{{ip-addr2}}

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 CIS GCP v1.3.0 → 💼 6.5 Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses - Level 1 (Automated)1no data
💼 CIS GCP v2.0.0 → 💼 6.5 Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses - Level 1 (Automated)1no data
💼 CIS GCP v3.0.0 → 💼 6.5 Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses - Level 1 (Automated)1no data
💼 CIS GCP v4.0.0 → 💼 6.5 Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses - Level 1 (Automated)1no data
💼 CIS GCP v5.0.0 → 💼 6.5 Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses - Level 1 (Automated)1no data
💼 Cloudaware Framework → 💼 Network Exposure137no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)3790no data
💼 FedRAMP High Security Controls → 💼 AC-5 Separation of Duties (M)(H)22no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)81285no data
💼 FedRAMP High Security Controls → 💼 MP-2 Media Access (L)(M)(H)13no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)90no data
💼 FedRAMP Low Security Controls → 💼 MP-2 Media Access (L)(M)(H)13no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)90no data
💼 FedRAMP Moderate Security Controls → 💼 AC-5 Separation of Duties (M)(H)22no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)685no data
💼 FedRAMP Moderate Security Controls → 💼 MP-2 Media Access (L)(M)(H)13no data
💼 ISO/IEC 27001:2013 → 💼 A.13.1.3 Segregation in networks1no data
💼 ISO/IEC 27001:2022 → 💼 5.10 Acceptable use of information and other associated assets1228no data
💼 ISO/IEC 27001:2022 → 💼 5.15 Access control1532no data
💼 ISO/IEC 27001:2022 → 💼 8.3 Information access restriction1125no data
💼 ISO/IEC 27001:2022 → 💼 8.4 Access to source code923no data
💼 NIST CSF v1.1 → 💼 DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed1034no data
💼 NIST CSF v1.1 → 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events1963no data
💼 NIST CSF v1.1 → 💼 ID.AM-3: Organizational communication and data flows are mapped48no data
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties2362no data
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)1044no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented5498no data
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected1044no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events185no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained89no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties144no data
💼 NIST CSF v2.0 → 💼 PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk44no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected196no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected167no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected197no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage129no data
💼 NIST SP 800-53 Revision 4 → 💼 CA-3 SYSTEM INTERCONNECTIONS52no data
💼 NIST SP 800-53 Revision 4 → 💼 SC-7 BOUNDARY PROTECTION23531no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement15666no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-5 Separation of Duties22no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege102378no data
💼 NIST SP 800-53 Revision 5 → 💼 MP-2 Media Access213no data
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.1067no data
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.67no data
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.67no data
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.967no data
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.67no data
💼 SOC 2 → 💼 CC5.2-3 Establishes Relevant Security Management Process Controls Activities1636no data
💼 SOC 2 → 💼 CC6.1-3 Restricts Logical Access122no data
💼 SOC 2 → 💼 CC6.1-7 Restricts Access to Information Assets1327no data