Skip to main content

πŸ“ Google Cloud MySQL Instance allows anyone to connect with administrative privileges 🟒

  • Contextual name: πŸ“ MySQL Instance allows anyone to connect with administrative privileges 🟒
  • ID: /ce/ca/google/sql/mysql-instance-allows-administrative-access
  • Located in: πŸ“ Google Cloud SQL

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Description​

Open File

Description​

It is recommended to set a password for the administrative user (root by default) to prevent unauthorized access to the SQL database instances.

This recommendation is applicable only for MySQL Instances. PostgreSQL does not offer any setting for No Password from the cloud console.

Rationale​

At the time of MySQL Instance creation, not providing an administrative password allows anyone to connect to the SQL database instance with administrative privileges. The root password should be set to ensure only authorized users have these privileges.

Impact​

Connection strings for administrative clients need to be reconfigured to use a password.

Audit​

From Google Cloud CLI​

  1. List All SQL database instances of type MySQL:

         gcloud sql instances list --filter='DATABASE_VERSION:MYSQL* --project <project_id> --format="(NAME,PRIMARY_ADDRESS)"'

  2. For every MySQL instance try to connect using the PRIMARY_ADDRESS, if available:

         mysql -u root -h <mysql_instance_ip_address>

The command should return either an error message or a password prompt.

... see more

Remediation​

Open File

Remediation​

From Google Cloud Console​

  1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console using https://console.cloud.google.com/sql/
  2. Select the instance to open its Overview page.
  3. Select Access Control > Users.
  4. Click the More actions icon for the user to be updated.
  5. Select Change password, specify a New password, and click OK.

From Google Cloud CLI​

  1. Set a password to a MySql instance:

         gcloud sql users set-password root --host=<host> --instance=<instance_name> --prompt-for-password

  2. A prompt will appear, requiring the user to enter a password:

         Instance Password:

  3. With a successful password configured, the following message should be seen:

         Updating Cloud SQL user...done.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 6.1.1 Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges - Level 1 (Automated _ Roadmapped)1
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 6.1.1 Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges - Level 1 (Manual)1
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 6.1.1 Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges - Level 1 (Manual)1
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 6.1.1 Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges - Level 1 (Manual)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access46
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.8.2.3 Handling of assets4
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.5 Secure authentication2
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1652
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions413
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-1: Data-at-rest is protected1528
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-2: Data-in-transit is protected1631
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition7
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4666
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-6: Data is destroyed according to policy4
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-2: Removable media is protected and its use restricted according to policy4
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities2130
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles20
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions13
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties87
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected110
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected91
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected104
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AC-3 ACCESS ENFORCEMENT102
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.18
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.2.2 Vendor default accounts are managed.8
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.2.2 Vendor default accounts are managed.8