📝 Google Cloud SQL Instance External Authorized Networks do not whitelist all public IP addresses 🟢

• Contextual name: 📝 SQL Instance External Authorized Networks do not whitelist all public IP addresses 🟢
• ID: /ce/ca/google/sql/sql-instance-public-ip-whitelist
• Located in: 📁 Google Cloud SQL

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Cloud Conformity
  • Check for Publicly Accessible Cloud SQL Database Instances

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Google Cloud SQL Instance
  • 🔌 Google Cloud SQL Instance - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from public IP addresses.

Rationale

To minimize attack surface on a Database server instance, only trusted/known and required IP(s) should be white-listed to connect to it.

An authorized network should not have IPs/networks configured to 0.0.0.0/0 which will allow access to the instance from anywhere in the world. Note that authorized networks apply only to instances with public IPs.

Impact

The Cloud SQL database instance would not be available to public IP addresses.

Audit

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
2. Click the instance name to open its Instance details page.
3. Under the Configuration section click Edit configurations.
4. Under Configuration options expand the Connectivity section.
5. Ensure that no authorized network is configured to allow 0.0.0.0/0.

From Google Cloud CLI

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
2. Click the instance name to open its Instance details page.
3. Under the Configuration section click Edit configurations
4. Under Configuration options expand the Connectivity section.
5. Click the delete icon for the authorized network 0.0.0.0/0.
6. Click Save to update the instance.

From Google Cloud CLI

Update the authorized network list by dropping off any addresses.

        gcloud sql instances patch <INSTANCE_NAME> --authorized-networks=IP_ADDR1,IP_ADDR2...

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS GCP v3.0.0 → 💼 6.5 Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses - Level 1 (Automated)			1
💼 Cloudaware Framework → 💼 Public and Anonymous Access			24