Skip to main content

πŸ“ Google Cloud MySQL Instance allows anyone to connect with administrative privileges 🟒

  • Contextual name: πŸ“ MySQL Instance allows anyone to connect with administrative privileges 🟒
  • ID: /ce/ca/google/sql/mysql-instance-allows-administrative-access
  • Located in: πŸ“ Google Cloud SQL

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Description​

Open File

Description​

It is recommended to set a password for the administrative user (root by default) to prevent unauthorized access to the SQL database instances.

This recommendation is applicable only for MySQL Instances. PostgreSQL does not offer any setting for No Password from the cloud console.

Rationale​

At the time of MySQL Instance creation, not providing an administrative password allows anyone to connect to the SQL database instance with administrative privileges. The root password should be set to ensure only authorized users have these privileges.

Impact​

Connection strings for administrative clients need to be reconfigured to use a password.

Audit​

From Google Cloud CLI​

  1. List All SQL database instances of type MySQL:

         gcloud sql instances list --filter='DATABASE_VERSION:MYSQL* --project <project_id> --format="(NAME,PRIMARY_ADDRESS)"'

  2. For every MySQL instance try to connect using the PRIMARY_ADDRESS, if available:

         mysql -u root -h <mysql_instance_ip_address>

The command should return either an error message or a password prompt.

... see more

Remediation​

Open File

Remediation​

From Google Cloud Console​

  1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console using https://console.cloud.google.com/sql/
  2. Select the instance to open its Overview page.
  3. Select Access Control > Users.
  4. Click the More actions icon for the user to be updated.
  5. Select Change password, specify a New password, and click OK.

From Google Cloud CLI​

  1. Set a password to a MySql instance:

         gcloud sql users set-password root --host=<host> --instance=<instance_name> --prompt-for-password

  2. A prompt will appear, requiring the user to enter a password:

         Instance Password:

  3. With a successful password configured, the following message should be seen:

         Updating Cloud SQL user...done.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 6.1.1 Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges - Level 1 (Manual)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access43