📝 Google Cloud SQL Instance SSL Connections are not enforced 🟢

• Contextual name: 📝 SQL Instance SSL Connections are not enforced 🟢
• ID: /ce/ca/google/sql/sql-instance-ssl
• Located in: 📁 Google Cloud SQL

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Cloud Conformity
  • Enable SSL/TLS for Cloud SQL Incoming Connections

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Google Cloud SQL Instance
  • 🔌 Google Cloud SQL Instance - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

It is recommended to enforce all incoming connections to SQL database instance to use SSL.

Rationale

SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1, MySql generation 2 and SQL Server 2017 instances.

Impact

After enforcing SSL requirement for connections, existing client will not be able to communicate with Cloud SQL database instance unless they use SSL encrypted connections to communicate to Cloud SQL database instance.

Audit

From Google Cloud Console

1. Go to https://console.cloud.google.com/sql/instances.
2. Click on an instance name to see its configuration overview.
3. In the left-side panel, select Connections.
4. In the Security section, ensure that Allow only SSL connections option is selected.

From Google Cloud CLI

1. Get the detailed configuration for every SQL database instance using the following command:

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to https://console.cloud.google.com/sql/instances.
2. Click on an instance name to see its configuration overview.
3. In the left-side panel, select Connections.
4. In the security section, select SSL mode as Allow only SSL connections.
5. Under Configure SSL server certificates click Create new certificate and save the setting

From Google Cloud CLI

To enforce SSL encryption for an instance run the command:

        gcloud sql instances patch INSTANCE_NAME --ssl-mode= ENCRYPTED_ONLY

Note: RESTART is required for type MySQL Generation 1 Instances (backendType: FIRST_GEN) to get this configuration in effect.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS GCP v3.0.0 → 💼 6.4 Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL - Level 1 (Automated)			1
💼 Cloudaware Framework → 💼 Secure Access			43