Skip to main content

🛡️ Google Cloud SQL Instance SSL Connections are not enforced🟢

Logic

Similar Policies

Description

Open File

Description

It is recommended to enforce SSL for all incoming connections to SQL database instances.

Rationale

SQL database connections that are successfully intercepted (MITM) can reveal sensitive data such as credentials, database queries, and query outputs. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable to PostgreSQL, MySQL generation 1, MySQL generation 2, and SQL Server 2017 instances.

Impact

After enforcing the SSL requirement, existing clients will not be able to communicate with a Cloud SQL database instance unless they use SSL-encrypted connections.

Audit

This policy flags a Google SQL Instance as INCOMPLIANT if its SSL Mode is not set to ENCRYPTED_ONLY or TRUSTED_CLIENT_CERTIFICATE_REQUIRED.

Default Value

By default, the parameter settings: ipConfiguration: sslMode is not set, which is equivalent to sslMode:ALLOW_UNENCRYPTED_AND_ENCRYPTED.

References

  1. https://cloud.google.com/sql/docs/postgres/configure-ssl-instance/

... see more

Remediation

Open File

Remediation

From Google Cloud Console

  1. Go to https://console.cloud.google.com/sql/instances.
  2. Click on an instance name to see its configuration overview.
  3. In the left-side panel, select Connections.
  4. In the Security section, select SSL mode as Allow only SSL connections.
  5. Under Configure SSL server certificates, click Create new certificate and save the setting.

From Google Cloud CLI

To enforce SSL encryption for an instance, run the command:

gcloud sql instances patch {{instance-name}} \
    --ssl-mode={{ssl-mode}}

Note: RESTART is required for type MySQL Generation 1 Instances (backendType: FIRST_GEN) to get this configuration in effect.

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 CIS GCP v1.2.0 → 💼 6.4 Ensure that the Cloud SQL database instance requires all incoming connections to use SSL - Level 1 (Automated)1no data
💼 CIS GCP v1.3.0 → 💼 6.4 Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL - Level 1 (Automated)1no data
💼 CIS GCP v2.0.0 → 💼 6.4 Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL - Level 1 (Automated)1no data
💼 CIS GCP v3.0.0 → 💼 6.4 Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL - Level 1 (Automated)1no data
💼 Cloudaware Framework → 💼 Data Encryption61no data
💼 ISO/IEC 27001:2013 → 💼 A.8.2.3 Handling of assets5no data
💼 ISO/IEC 27001:2013 → 💼 A.13.2.1 Information transfer policies and procedures1no data
💼 ISO/IEC 27001:2013 → 💼 A.14.1.3 Protecting application services transactions1015no data
💼 NIST CSF v1.1 → 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events1863no data
💼 NIST CSF v1.1 → 💼 ID.AM-3: Organizational communication and data flows are mapped48no data
💼 NIST CSF v1.1 → 💼 PR.AC-3: Remote access is managed22no data
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)1044no data
💼 NIST CSF v1.1 → 💼 PR.DS-1: Data-at-rest is protected1530no data
💼 NIST CSF v1.1 → 💼 PR.DS-2: Data-in-transit is protected1653no data
💼 NIST CSF v1.1 → 💼 PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition8no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented4791no data
💼 NIST CSF v1.1 → 💼 PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity2227no data
💼 NIST CSF v1.1 → 💼 PR.IP-6: Data is destroyed according to policy5no data
💼 NIST CSF v1.1 → 💼 PR.PT-2: Removable media is protected and its use restricted according to policy5no data
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected1044no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events180no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events181no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained89no data
💼 NIST CSF v2.0 → 💼 ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles27no data
💼 NIST CSF v2.0 → 💼 PR.AA-03: Users, services, and hardware are authenticated53no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties133no data
💼 NIST CSF v2.0 → 💼 PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk44no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected187no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected160no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected184no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage123no data
💼 NIST SP 800-53 Revision 4 → 💼 SC-7 BOUNDARY PROTECTION23531no data
💼 PCI DSS v3.2.1 → 💼 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.1828no data
💼 PCI DSS v4.0.1 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.228no data
💼 PCI DSS v4.0 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.2928no data