🛡️ Google Cloud PostgreSQL Instance Log_connections Database Flag is not set to On🟢

• Contextual name: 🛡️ PostgreSQL Instance Log_connections Database Flag is not set to On🟢
• ID: /ce/ca/google/sql/postgresql-instance-log-connections-flag
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google Cloud SQL Instance
  • 🔌 Google Cloud SQL Instance - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Enable 'log_connections' Flag for PostgreSQL Database Instances

Description

Open File

Description

Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.

Rationale

PostgreSQL does not log attempted connections by default. Enabling the log_connections setting will create log entries for each attempted connection as well as successful completion of client authentication which can be useful in troubleshooting issues and to determine any unusual connection attempts to the server. This recommendation is applicable to PostgreSQL database instances.

Impact

Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
2. Select the PostgreSQL instance for which you want to enable the database flag.
3. Click Edit.
4. Scroll down to the Flags section.
5. To set a flag that has not been set on the instance before, click Add a Database Flag, choose the flag log_connections from the drop-down menu and set the value as on.
6. Click Save.
7. Confirm the changes under Flags on the Overview page.

From Google Cloud CLI

1. Configure the log_connections database flag for every Cloud SQL PosgreSQL database instance using the below command.

        gcloud sql instances patch <INSTANCE_NAME> --database-flags "log_connections"=on

Note: This command will overwrite all previously set database flags. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.2.0 → 💼 6.2.3 Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on' - Level 1 (Automated)			1		no data
💼 CIS GCP v1.3.0 → 💼 6.2.2 Ensure That the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' - Level 1 (Automated)			1		no data
💼 CIS GCP v2.0.0 → 💼 6.2.2 Ensure That the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' - Level 1 (Automated)			1		no data
💼 CIS GCP v3.0.0 → 💼 6.2.2 Ensure That the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' - Level 1 (Automated)			1		no data
💼 Cloudaware Framework → 💼 System Configuration			45		no data
💼 FedRAMP High Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		28		no data
💼 FedRAMP High Security Controls → 💼 AU-7 Audit Record Reduction and Report Generation (M)(H)	1		18		no data
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)	2		65		no data
💼 FedRAMP Low Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)			14		no data
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			65		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		28		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-7 Audit Record Reduction and Report Generation (M)(H)	1		18		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			65		no data
💼 ISO/IEC 27001:2022 → 💼 5.28 Collection of evidence		14	21		no data
💼 NIST CSF v1.1 → 💼 DE.AE-3: Event data are collected and correlated from multiple sources and sensors		18	38		no data
💼 NIST CSF v1.1 → 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events		18	63		no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			50		no data
💼 NIST CSF v2.0 → 💼 DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis			38		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			145		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			85		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			142		no data
💼 NIST CSF v2.0 → 💼 RS.AN-03: Analysis is performed to establish what has taken place during an incident and the root cause of the incident			17		no data
💼 NIST CSF v2.0 → 💼 RS.AN-06: Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved			18		no data
💼 NIST CSF v2.0 → 💼 RS.AN-07: Incident data and metadata are collected, and their integrity and provenance are preserved			18		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-3 Content of Audit Records	3	13	28		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-7 Audit Record Reduction and Report Generation	2	1	18		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation	4	47	65		no data
💼 PCI DSS v3.2.1 → 💼 9.7 Maintain strict control over the storage and accessibility of media.	1		6		no data
💼 PCI DSS v3.2.1 → 💼 10.2 Implement automated audit trails for all system components.	7	6	28		no data
💼 PCI DSS v3.2.1 → 💼 10.2.2 All actions taken by any individual with root or administrative privileges.			16		no data
💼 PCI DSS v3.2.1 → 💼 10.2.5 Use of and changes to identification and authentication mechanisms.		1	16		no data
💼 PCI DSS v4.0.1 → 💼 9.4.5 Inventory logs of all electronic media with cardholder data are maintained.	1		6		no data
💼 PCI DSS v4.0.1 → 💼 10.2.1 Audit logs are enabled and active for all system components and cardholder data.	7		27		no data
💼 PCI DSS v4.0.1 → 💼 10.2.1.2 Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.			16		no data
💼 PCI DSS v4.0.1 → 💼 10.2.1.5 Audit logs capture all changes to identification and authentication credentials.			16		no data
💼 PCI DSS v4.0 → 💼 9.4.5 Inventory logs of all electronic media with cardholder data are maintained.	1		6		no data
💼 PCI DSS v4.0 → 💼 10.2.1 Audit logs are enabled and active for all system components and cardholder data.	7	1	27		no data
💼 PCI DSS v4.0 → 💼 10.2.1.2 Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.			16		no data
💼 PCI DSS v4.0 → 💼 10.2.1.5 Audit logs capture all changes to identification and authentication credentials.			16		no data
💼 SOC 2 → 💼 CC5.2-3 Establishes Relevant Security Management Process Controls Activities		15	36		no data
💼 SOC 2 → 💼 CC7.2-1 Implements Detection Policies, Procedures, and Tools			7		no data
💼 SOC 2 → 💼 CC7.2-2 Designs Detection Measures			7		no data
💼 SOC 2 → 💼 CC7.2-3 Implements Filters to Analyze Anomalies		9	18		no data