Skip to main content

πŸ“ Google Cloud SQL Instance Automated Backups are not configured 🟒

  • Contextual name: πŸ“ SQL Instance Automated Backups are not configured 🟒
  • ID: /ce/ca/google/sql/sql-instance-backup
  • Located in: πŸ“ Google Cloud SQL

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • RELIABILITY

Similar Policies​

Logic​

Description​

Open File

Description​

It is recommended to have all SQL database instances set to enable automated backups.

Rationale​

Backups provide a way to restore a Cloud SQL instance to recover lost data or recover from a problem with that instance. Automated backups need to be set for any instance that contains data that should be protected from loss or damage. This recommendation is applicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2 instances.

Impact​

Automated Backups will increase required size of storage and costs associated with it.

Audit​

From Google Cloud Console​
  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Click the instance name to open its instance details page.
  3. Go to the Backups menu.
  4. Ensure that Automated backups is set to Enabled and Backup time is mentioned.
From Google Cloud CLI​
  1. List all Cloud SQL database instances using the following command:
gcloud sql instances list --format=json | jq '. | map(select(.instanceType != "READ_REPLICA_INSTANCE")) | .[].name'

... [see more](description.md)

Remediation​

Open File

Remediation​

From Google Cloud Console​

  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Select the instance where the backups need to be configured.
  3. Click Edit.
  4. In the Backups section, check Enable automated backups, and choose a backup window.
  5. Click Save.

From Google Cloud CLI​

  1. List all Cloud SQL database instances using the following command:

         gcloud sql instances list --format=json | jq '. | map(select(.instanceType != "READ_REPLICA_INSTANCE")) | .[].name'

NOTE: gcloud command has been added with the filter to exclude read-replicas instances, as GCP do not provide Automated Backups for read-replica instances. 2. Enable Automated backups for every Cloud SQL database instance using the below command:

        gcloud sql instances patch <INSTANCE_NAME> --backup-start-time <[HH:MM]>

The backup-start-time parameter is specified in 24-hour time, in the UTCΒ±00 time zone, and specifies the start of a 4-hour backup window. Backups can start any time during the backup window.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 6.7 Ensure that Cloud SQL database instances are configured with automated backups - Level 1 (Automated)1
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 6.7 Ensure That Cloud SQL Database Instances Are Configured With Automated Backups - Level 1 (Automated)1
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 6.7 Ensure That Cloud SQL Database Instances Are Configured With Automated Backups - Level 1 (Automated)1
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 6.7 Ensure That Cloud SQL Database Instances Are Configured With Automated Backups - Level 1 (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration30
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-9 System Backup (L)(M)(H)548
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)25
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CP-9 System Backup (L)(M)(H)7
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)5
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CP-9 System Backup (L)(M)(H)28
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)15
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.12.3.1 Information backup1
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.13 Information backup12
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-4: Backups of information are conducted, maintained, and tested47
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected114
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected108
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-11: Backups of data are created, protected, maintained, and tested9
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process5
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed5
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration3
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed5
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό CP-9 INFORMATION SYSTEM BACKUP71
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-9 System Backup84
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-10 System Recovery and Reconstitution65