🛡️ Google Cloud MySQL Instance allows anyone to connect with administrative privileges🟢⚪

• Contextual name: 🛡️ MySQL Instance allows anyone to connect with administrative privileges🟢⚪
• ID: /ce/ca/google/sql/mysql-instance-allows-administrative-access
• Tags:
  • ⚪ Impossible policy
  • 🟢 Policy with categories
  • 🟢 Policy with type
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Similar Policies

• Cloud Conformity: Configure Root Password for MySQL Database Access

Description

Open File

Description

It is recommended to set a password for the administrative user (root by default) to prevent unauthorized access to the SQL database instances.

This recommendation is applicable only for MySQL Instances. PostgreSQL does not offer any setting for No Password from the cloud console.

Rationale

At the time of MySQL Instance creation, not providing an administrative password allows anyone to connect to the SQL database instance with administrative privileges. The root password should be set to ensure only authorized users have these privileges.

Impact

Connection strings for administrative clients need to be reconfigured to use a password.

Audit

From Google Cloud CLI

1. List All SQL database instances of type MySQL:

        gcloud sql instances list --filter='DATABASE_VERSION:MYSQL* --project <project_id> --format="(NAME,PRIMARY_ADDRESS)"'

2. For every MySQL instance try to connect using the PRIMARY_ADDRESS, if available:

        mysql -u root -h <mysql_instance_ip_address>

The command should return either an error message or a password prompt.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console using https://console.cloud.google.com/sql/
2. Select the instance to open its Overview page.
3. Select Access Control > Users.
4. Click the More actions icon for the user to be updated.
5. Select Change password, specify a New password, and click OK.

From Google Cloud CLI

1. Set a password to a MySql instance:

        gcloud sql users set-password root --host=<host> --instance=<instance_name> --prompt-for-password

2. A prompt will appear, requiring the user to enter a password:

        Instance Password:

3. With a successful password configured, the following message should be seen:

        Updating Cloud SQL user...done.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.2.0 → 💼 6.1.1 Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges - Level 1 (Automated _ Roadmapped)			1		no data
💼 CIS GCP v1.3.0 → 💼 6.1.1 Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges - Level 1 (Manual)			1		no data
💼 CIS GCP v2.0.0 → 💼 6.1.1 Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges - Level 1 (Manual)			1		no data
💼 CIS GCP v3.0.0 → 💼 6.1.1 Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges - Level 1 (Manual)			1		no data
💼 Cloudaware Framework → 💼 Secure Access			55		no data
💼 ISO/IEC 27001:2013 → 💼 A.8.2.3 Handling of assets			4		no data
💼 ISO/IEC 27001:2022 → 💼 8.5 Secure authentication			2		no data
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties		17	52		no data
💼 NIST CSF v1.1 → 💼 PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions		4	13		no data
💼 NIST CSF v1.1 → 💼 PR.DS-1: Data-at-rest is protected		15	28		no data
💼 NIST CSF v1.1 → 💼 PR.DS-2: Data-in-transit is protected		16	31		no data
💼 NIST CSF v1.1 → 💼 PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition			7		no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	66		no data
💼 NIST CSF v1.1 → 💼 PR.IP-6: Data is destroyed according to policy			4		no data
💼 NIST CSF v1.1 → 💼 PR.PT-2: Removable media is protected and its use restricted according to policy			4		no data
💼 NIST CSF v1.1 → 💼 PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities		21	30		no data
💼 NIST CSF v2.0 → 💼 ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles			21		no data
💼 NIST CSF v2.0 → 💼 PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions			13		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			91		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			118		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			98		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			112		no data
💼 NIST SP 800-53 Revision 4 → 💼 AC-3 ACCESS ENFORCEMENT	10		2		no data
💼 PCI DSS v3.2.1 → 💼 2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.	1		8		no data
💼 PCI DSS v4.0.1 → 💼 2.2.2 Vendor default accounts are managed.			8		no data
💼 PCI DSS v4.0 → 💼 2.2.2 Vendor default accounts are managed.			8		no data