π Google Cloud SQL Server Instance contained database authentication Database Flag is set to on π’
- Contextual name: π SQL Server Instance contained database authentication Database Flag is set to on π’
- ID:
/ce/ca/google/sql/sqlserver-instance-contained-database-authentication-flag - Located in: π Google Cloud SQL
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Similar Policiesβ
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
It is recommended not to set
contained database authenticationdatabase flag for Cloud SQL on the SQL Server instance toon.Rationaleβ
A contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed. Users can connect to the database without authenticating a login at the Database Engine level. Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server. Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators. Most of the threats are related to the USER WITH PASSWORD authentication process, which moves the authentication boundary from the Database Engine level to the database level, hence this is recommended not to enable this flag. This recommendation is applicable to SQL Server database instances.
Impactβ
When
contained database authenticationis off (0) for the instance, contained databases cannot be created, or attached to the Database Engine. Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.... see more
Remediationβ
Remediationβ
From Google Cloud Consoleβ
- Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
- Select the SQL Server instance for which you want to enable to database flag.
- Click
Edit.- Scroll down to the
Flagssection.- If the flag
contained database authenticationis present and its value is set toon, then change it tooff.- Click
Save.- Confirm the changes under
Flagson the Overview page.From Google Cloud CLIβ
If any Cloud SQL for SQL Server instance has the database flag
contained database authenticationset toon, then change it tooffusing the below command:gcloud sql instances patch <INSTANCE_NAME> --database-flags "contained database authentication=off"Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS GCP v3.0.0 β πΌ 6.3.7 Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is not set to 'on' - Level 1 (Automated) | 1 | |||
| πΌ Cloudaware Framework β πΌ Secure Access | 43 |