⭐ Repository → 📁 Compliance Engine → 📁 CloudAware → 📁 Google → 📁 Cloud SQL

🛡️ Google Cloud SQL Instance SSL Connections are not enforced🟢

• Contextual name: 🛡️ Instance SSL Connections are not enforced🟢
• ID: /ce/ca/google/sql/instance-ssl
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google Cloud SQL Instance
  • 🔌 Google Cloud SQL Instance - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Enable SSL/TLS for Cloud SQL Incoming Connections

Description

Open File

Description

It is recommended to enforce all incoming connections to SQL database instance to use SSL.

Rationale

SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1, MySql generation 2 and SQL Server 2017 instances.

Impact

After enforcing SSL requirement for connections, existing client will not be able to communicate with Cloud SQL database instance unless they use SSL encrypted connections to communicate to Cloud SQL database instance.

Audit

From Google Cloud Console

1. Go to https://console.cloud.google.com/sql/instances.
2. Click on an instance name to see its configuration overview.
3. In the left-side panel, select Connections.
4. In the Security section, ensure that Allow only SSL connections option is selected.

From Google Cloud CLI

1. Get the detailed configuration for every SQL database instance using the following command:

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to https://console.cloud.google.com/sql/instances.
2. Click on an instance name to see its configuration overview.
3. In the left-side panel, select Connections.
4. In the security section, select SSL mode as Allow only SSL connections.
5. Under Configure SSL server certificates click Create new certificate and save the setting

From Google Cloud CLI

To enforce SSL encryption for an instance run the command:

        gcloud sql instances patch INSTANCE_NAME --ssl-mode= ENCRYPTED_ONLY

Note: RESTART is required for type MySQL Generation 1 Instances (backendType: FIRST_GEN) to get this configuration in effect.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.2.0 → 💼 6.4 Ensure that the Cloud SQL database instance requires all incoming connections to use SSL - Level 1 (Automated)			1		no data
💼 CIS GCP v1.3.0 → 💼 6.4 Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL - Level 1 (Automated)			1		no data
💼 CIS GCP v2.0.0 → 💼 6.4 Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL - Level 1 (Automated)			1		no data
💼 CIS GCP v3.0.0 → 💼 6.4 Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL - Level 1 (Automated)			1		no data
💼 Cloudaware Framework → 💼 Secure Access			55		no data