Description
It is recommended to enforce all incoming connections to SQL database instance to use SSL.
Rationaleβ
SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1, MySql generation 2 and SQL Server 2017 instances.
Impactβ
After enforcing SSL requirement for connections, existing client will not be able to communicate with Cloud SQL database instance unless they use SSL encrypted connections to communicate to Cloud SQL database instance.
Auditβ
From Google Cloud Consoleβ
- Go to https://console.cloud.google.com/sql/instances.
- Click on an instance name to see its configuration overview.
- In the left-side panel, select
Connections. - In the
Securitysection, ensure thatAllow only SSL connectionsoption is selected.
From Google Cloud CLIβ
-
Get the detailed configuration for every SQL database instance using the following command:
gcloud sql instances list --format=json
Ensure that section settings: ipConfiguration has the parameter sslMode set to ENCRYPTED_ONLY .
Default Valueβ
By default parameter settings: ipConfiguration: sslMode is not set which is equivalent to sslMode:ALLOW_UNENCRYPTED_AND_ENCRYPTED.
Referencesβ
Additional Informationβ
By default Settings: ipConfiguration has no authorizedNetworks set/configured. In that case even if by default sslMode is not set, which is equivalent to sslMode:ALLOW_UNENCRYPTED_AND_ENCRYPTED there is no risk as instance cannot be accessed outside of the network unless authorizedNetworks are configured. However, If default for sslMode is not updated to ENCRYPTED_ONLY any authorizedNetworks created later on will not enforce SSL only connection.