🛡️ Google Cloud SQL Instance SSL Connections are not enforced🟢

• Contextual name: 🛡️ Instance SSL Connections are not enforced🟢
• ID: /ce/ca/google/sql/instance-ssl
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google Cloud SQL Instance
  • 🔌 Google Cloud SQL Instance - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Enable SSL/TLS for Cloud SQL Incoming Connections

Description

Open File

Description

It is recommended to enforce SSL for all incoming connections to SQL database instances.

Rationale

SQL database connections that are successfully intercepted (MITM) can reveal sensitive data such as credentials, database queries, and query outputs. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable to PostgreSQL, MySQL generation 1, MySQL generation 2, and SQL Server 2017 instances.

Impact

After enforcing the SSL requirement, existing clients will not be able to communicate with a Cloud SQL database instance unless they use SSL-encrypted connections.

Audit

This policy flags a Google SQL Instance as INCOMPLIANT if its SSL Mode is not set to ENCRYPTED_ONLY or TRUSTED_CLIENT_CERTIFICATE_REQUIRED.

Default Value

By default, the parameter settings: ipConfiguration: sslMode is not set, which is equivalent to sslMode:ALLOW_UNENCRYPTED_AND_ENCRYPTED.

References

1. https://cloud.google.com/sql/docs/postgres/configure-ssl-instance/

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to https://console.cloud.google.com/sql/instances.
2. Click on an instance name to see its configuration overview.
3. In the left-side panel, select Connections.
4. In the Security section, select SSL mode as Allow only SSL connections.
5. Under Configure SSL server certificates, click Create new certificate and save the setting.

From Google Cloud CLI

To enforce SSL encryption for an instance, run the command:

gcloud sql instances patch {{instance-name}} \
    --ssl-mode={{ssl-mode}}

Note: RESTART is required for type MySQL Generation 1 Instances (backendType: FIRST_GEN) to get this configuration in effect.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.2.0 → 💼 6.4 Ensure that the Cloud SQL database instance requires all incoming connections to use SSL - Level 1 (Automated)			1		no data
💼 CIS GCP v1.3.0 → 💼 6.4 Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL - Level 1 (Automated)			1		no data
💼 CIS GCP v2.0.0 → 💼 6.4 Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL - Level 1 (Automated)			1		no data
💼 CIS GCP v3.0.0 → 💼 6.4 Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL - Level 1 (Automated)			1		no data
💼 Cloudaware Framework → 💼 Data Encryption			70		no data
💼 ISO/IEC 27001:2013 → 💼 A.8.2.3 Handling of assets			5		no data
💼 ISO/IEC 27001:2013 → 💼 A.13.2.1 Information transfer policies and procedures			1		no data
💼 ISO/IEC 27001:2013 → 💼 A.14.1.3 Protecting application services transactions		10	15		no data
💼 NIST CSF v1.1 → 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events		18	63		no data
💼 NIST CSF v1.1 → 💼 ID.AM-3: Organizational communication and data flows are mapped		4	8		no data
💼 NIST CSF v1.1 → 💼 PR.AC-3: Remote access is managed			22		no data
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)		10	44		no data
💼 NIST CSF v1.1 → 💼 PR.DS-1: Data-at-rest is protected		15	30		no data
💼 NIST CSF v1.1 → 💼 PR.DS-2: Data-in-transit is protected		16	53		no data
💼 NIST CSF v1.1 → 💼 PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition			8		no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	91		no data
💼 NIST CSF v1.1 → 💼 PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity		22	27		no data
💼 NIST CSF v1.1 → 💼 PR.IP-6: Data is destroyed according to policy			5		no data
💼 NIST CSF v1.1 → 💼 PR.PT-2: Removable media is protected and its use restricted according to policy			5		no data
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected		10	44		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			180		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			181		no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			89		no data
💼 NIST CSF v2.0 → 💼 ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles			27		no data
💼 NIST CSF v2.0 → 💼 PR.AA-03: Users, services, and hardware are authenticated			53		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			133		no data
💼 NIST CSF v2.0 → 💼 PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk			44		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			123		no data
💼 NIST SP 800-53 Revision 4 → 💼 SC-7 BOUNDARY PROTECTION	23	5	31		no data
💼 PCI DSS v3.2.1 → 💼 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.	1	8	28		no data
💼 PCI DSS v4.0.1 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2		28		no data
💼 PCI DSS v4.0 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2	9	28		no data