Description

Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from public IP addresses.

Rationale

To minimize attack surface on a Database server instance, only trusted/known and required IP(s) should be white-listed to connect to it.

An authorized network should not have IPs/networks configured to 0.0.0.0/0 which will allow access to the instance from anywhere in the world. Note that authorized networks apply only to instances with public IPs.

Impact

The Cloud SQL database instance would not be available to public IP addresses.

Audit

From Google Cloud Console

Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
Click the instance name to open its Instance details page.
Under the Configuration section click Edit configurations.
Under Configuration options expand the Connectivity section.
Ensure that no authorized network is configured to allow 0.0.0.0/0.

From Google Cloud CLI

Get detailed configuration for every Cloud SQL database instance.
```
     gcloud sql instances list --format=json
```

Ensure that the section settings: ipConfiguration : authorizedNetworks does not have any parameter value containing 0.0.0.0/0.

Prevention

To prevent new SQL instances from being configured to accept incoming connections from any IP addresses, set up a Restrict Authorized Networks on Cloud SQL instances Organization Policy at: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks.

Default Value

By default, authorized networks are not configured. Remote connection to Cloud SQL database instance is not possible unless authorized networks are configured.

References

Additional Information

There is no IPv6 configuration found for Google cloud SQL server services.

Rationale​

Impact​

Audit​

From Google Cloud Console​

From Google Cloud CLI​

Prevention​

Default Value​

References​

Additional Information​