🛡️ Google Cloud SQL Instance has public IP addresses🟢

• Contextual name: 🛡️ Instance has public IP addresses🟢
• ID: /ce/ca/google/sql/instance-with-public-ip
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google Cloud SQL Instance
  • 🔌 Google Cloud SQL Instance IP Address - object.extracts.yaml
  • 🔌 Google Cloud SQL Instance - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Check for Cloud SQL Database Instances with Public IPs

Description

Open File

Description

It is recommended to configure second generation SQL instances to use private IPs instead of public IPs.

Rationale

To lower the organization's attack surface, Cloud SQL databases should not have public IPs. Private IPs provide improved network security and lower latency for your application.

Impact

Removing the public IP address on SQL instances may break some applications that relied on it for database connectivity.

Audit

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console: https://console.cloud.google.com/sql/instances
2. Ensure that every instance has a private IP address and no public IP address configured.

From Google Cloud CLI

1. List all Cloud SQL database instances using the following command:

   gcloud sql instances list

2. For every instance of type instanceType: CLOUD_SQL_INSTANCE with backendType: SECOND_GEN, get detailed configuration. Ignore instances of type READ_REPLICA_INSTANCE because these instances inherit their settings from the primary instance. Also, note that first generation instances cannot be configured to have a private IP address.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console: https://console.cloud.google.com/sql/instances
2. Click the instance name to open its Instance details page.
3. Select the Connections tab.
4. Deselect the Public IP checkbox.
5. Click Save to update the instance.

From Google Cloud CLI

1. For every instance, remove its public IP and assign a private IP instead:

   gcloud sql instances patch {{instance-name}} \
       --network={{vpc-network-name}} \
       --no-assign-ip

2. Confirm the changes using the following command:

   gcloud sql instances describe {{instance-name}}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.2.0 → 💼 6.6 Ensure that Cloud SQL database instances do not have public IPs - Level 2 (Automated)			1		no data
💼 CIS GCP v1.3.0 → 💼 6.6 Ensure That Cloud SQL Database Instances Do Not Have Public IPs - Level 2 (Automated)			1		no data
💼 CIS GCP v2.0.0 → 💼 6.6 Ensure That Cloud SQL Database Instances Do Not Have Public IPs - Level 2 (Automated)			1		no data
💼 CIS GCP v3.0.0 → 💼 6.6 Ensure That Cloud SQL Database Instances Do Not Have Public IPs - Level 2 (Automated)			1		no data
💼 Cloudaware Framework → 💼 Network Exposure			132		no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	84		no data
💼 FedRAMP High Security Controls → 💼 AC-5 Separation of Duties (M)(H)			17		no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	79		no data
💼 FedRAMP High Security Controls → 💼 MA-4 Nonlocal Maintenance (L)(M)(H)	1		1		no data
💼 FedRAMP High Security Controls → 💼 MP-2 Media Access (L)(M)(H)			13		no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84		no data
💼 FedRAMP Low Security Controls → 💼 MA-4 Nonlocal Maintenance (L)(M)(H)			1		no data
💼 FedRAMP Low Security Controls → 💼 MP-2 Media Access (L)(M)(H)			13		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-5 Separation of Duties (M)(H)			17		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		79		no data
💼 FedRAMP Moderate Security Controls → 💼 MA-4 Nonlocal Maintenance (L)(M)(H)			1		no data
💼 FedRAMP Moderate Security Controls → 💼 MP-2 Media Access (L)(M)(H)			13		no data
💼 ISO/IEC 27001:2022 → 💼 5.10 Acceptable use of information and other associated assets		11	27		no data
💼 ISO/IEC 27001:2022 → 💼 5.15 Access control		14	31		no data
💼 ISO/IEC 27001:2022 → 💼 8.3 Information access restriction		10	24		no data
💼 ISO/IEC 27001:2022 → 💼 8.4 Access to source code		8	22		no data
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties		17	56		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			133		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			123		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	59		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-5 Separation of Duties			17		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	72		no data
💼 NIST SP 800-53 Revision 5 → 💼 MA-4 Nonlocal Maintenance	7		1		no data
💼 NIST SP 800-53 Revision 5 → 💼 MP-2 Media Access	2		13		no data
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.		10	65		no data
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.			65		no data
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			65		no data
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.		7	65		no data
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			65		no data
💼 SOC 2 → 💼 CC5.2-2 Establishes Relevant Technology Infrastructure Control Activities			7		no data
💼 SOC 2 → 💼 CC5.2-3 Establishes Relevant Security Management Process Controls Activities		15	36		no data
💼 SOC 2 → 💼 CC6.1-3 Restricts Logical Access		1	22		no data
💼 SOC 2 → 💼 CC6.1-7 Restricts Access to Information Assets		13	27		no data