📝 Google Cloud SQL Instance has public IP addresses 🟢

• Contextual name: 📝 SQL Instance has public IP addresses 🟢
• ID: /ce/ca/google/sql/sql-instance-with-public-ip
• Located in: 📁 Google Cloud SQL

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Cloud Conformity
  • Check for Cloud SQL Database Instances with Public IPs

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Google Cloud SQL Instance
  • 🔌 Google Cloud SQL Instance - object.extracts.yaml
  • 🔌 Google Cloud SQL Instance IP Address - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs.

Rationale

To lower the organization's attack surface, Cloud SQL databases should not have public IPs. Private IPs provide improved network security and lower latency for your application.

Impact

Removing the public IP address on SQL instances may break some applications that relied on it for database connectivity.

Audit

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console: https://console.cloud.google.com/sql/instances
2. Ensure that every instance has a private IP address and no public IP address configured.

From Google Cloud CLI

1. List all Cloud SQL database instances using the following command:

        gcloud sql instances list

2. For every instance of type instanceType: CLOUD_SQL_INSTANCE with backendType: SECOND_GEN, get detailed configuration. Ignore instances of type READ_REPLICA_INSTANCE because these instances inherit their settings from the primary instance. Also, note that first generation instances cannot be configured to have a private IP address.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console: https://console.cloud.google.com/sql/instances
2. Click the instance name to open its Instance details page.
3. Select the Connections tab.
4. Deselect the Public IP checkbox.
5. Click Save to update the instance.

From Google Cloud CLI

1. For every instance remove its public IP and assign a private IP instead:

        gcloud sql instances patch <INSTANCE_NAME> --network=<VPC_NETWORK_NAME> --no-assign-ip

2. Confirm the changes using the following command:

        gcloud sql instances describe <INSTANCE_NAME>

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS GCP v3.0.0 → 💼 6.6 Ensure That Cloud SQL Database Instances Do Not Have Public IPs - Level 2 (Automated)			1
💼 Cloudaware Framework → 💼 Public and Anonymous Access			24