Skip to main content

πŸ“ Google Cloud SQL Server Instance user connections Database Flag is set to a limiting (other than 0) value 🟒

  • Contextual name: πŸ“ SQL Server Instance user connections Database Flag is set to a limiting (other than 0) value 🟒
  • ID: /ce/ca/google/sql/sqlserver-instance-user-connections-flag
  • Located in: πŸ“ Google Cloud SQL

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • RELIABILITY

Similar Policies​

Logic​

Description​

Open File

Description​

It is recommended to check the user connections for a Cloud SQL SQL Server instance to ensure that it is not artificially limiting connections.

Rationale​

The user connections option specifies the maximum number of simultaneous user connections that are allowed on an instance of SQL Server. The actual number of user connections allowed also depends on the version of SQL Server that you are using, and also the limits of your application or applications and hardware. SQL Server allows a maximum of 32,767 user connections. Because user connections is by default a self-configuring value, with SQL Server adjusting the maximum number of user connections automatically as needed, up to the maximum value allowable. For example, if only 10 users are logged in, 10 user connection objects are allocated. In most cases, you do not have to change the value for this option. The default is 0, which means that the maximum (32,767) user connections are allowed. However if there is a number defined here that limits connections, SQL Server will not allow anymore above this limit. If the connections are at the limit, any new requests will be dropped, potentially causing lost data or outages for those using the database.

... see more

Remediation​

Open File

Remediation​

From Google Cloud Console​

  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
  2. Select the SQL Server instance for which you want to enable to database flag.
  3. Click Edit.
  4. Scroll down to the Flags section.
  5. To set a flag that has not been set on the instance before, click Add item, choose the flag user connections from the drop-down menu, and set its value to your organization recommended value.
  6. Click Save to save your changes.
  7. Confirm your changes under Flags on the Overview page.

From Google Cloud CLI​

  1. Configure the user connections database flag for every Cloud SQL SQL Server database instance using the below command.

         gcloud sql instances patch <INSTANCE_NAME> --database-flags "user connections=[0-32,767]"

Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 6.3.3 Ensure 'user connections' database flag for Cloud SQL SQL Server instance is set as appropriate - Level 1 (Automated)1
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 6.3.3 Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value - Level 1 (Automated)1
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 6.3.3 Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value - Level 1 (Automated)1
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 6.3.3 Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value - Level 1 (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration29
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-1 Policy and Procedures (L)(M)(H)3
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)3124
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-6 Configuration Settings (L)(M)(H)212
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)31733
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-9 Configuration Management Plan (M)(H)8
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SA-3 System Development Life Cycle (L)(M)(H)4
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SA-8 Security and Privacy Engineering Principles (L)(M)(H)6
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SA-10 Developer Configuration Management (M)(H)3
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-1 Policy and Procedures (L)(M)(H)3
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)23
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-6 Configuration Settings (L)(M)(H)11
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)29
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SA-3 System Development Life Cycle (L)(M)(H)4
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SA-8 Security and Privacy Engineering Principles (L)(M)(H)6
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-1 Policy and Procedures (L)(M)(H)3
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)324
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-6 Configuration Settings (L)(M)(H)112
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)333
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-9 Configuration Management Plan (M)(H)8
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SA-3 System Development Life Cycle (L)(M)(H)4
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SA-8 Security and Privacy Engineering Principles (L)(M)(H)6
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SA-10 Developer Configuration Management (M)(H)3
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.1 User end point devices713
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.9 Configuration management12
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)326
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events133
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed7
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.OV-01: Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction3
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.PO-01: Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced3
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.PO-02: Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission3
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes10
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles20
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-01: Improvements are identified from evaluations20
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties33
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities34
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-09: The authenticity and integrity of hardware and software are assessed prior to acquisition and use4
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected104
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations11
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-1 Policy and Procedures3
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-2 Baseline Configuration723
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-6 Configuration Settings412
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-7 Least Functionality923
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-9 Configuration Management Plan18
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SA-3 System Development Life Cycle34
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SA-8 Security and Privacy Engineering Principles337
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SA-10 Developer Configuration Management73
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1 Establish and implement firewall and router configuration standards7114
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.112
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1.7 Requirement to review firewall and router rule sets at least every six months.8
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.4 Install personal firewall software or equivalent functionality on any portable computing devices that connect to the Internet when outside the network, and which are also used to access the CDE.8
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.5320
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.1.1 All security policies and operational procedures identified in Requirement 1 are documented, kept up to date, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.10
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.12
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.12
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.7 Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.8
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks and the CDE.8
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.1.1 All security policies and operational procedures identified in Requirement 2 are documented, kept up to date, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.2.1 Configuration standards are developed, implemented, and maintained.11
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.1.1 All security policies and operational procedures identified in Requirement 1 are documented, kept up to date, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.10
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.12
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.12
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.7 Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.8
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks and the CDE.8
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.1.1 All security policies and operational procedures identified in Requirement 2 are documented, kept up to date, in use, and known to all affected parties.8
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.2.1 Configuration standards are developed, implemented, and maintained.11
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.1-2 Monitors Infrastructure and Software912
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.1-3 Implements Change-Detection Mechanisms3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.1-4 Detects Unknown or Unauthorized Components3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-1 Manages Changes Throughout the System Lifecycle3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-2 Authorizes Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-3 Designs and Develops Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-4 Documents Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-5 Tracks System Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-6 Configures Software3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-7 Tests System Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-8 Approves System Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-9 Deploys System Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-10 Identifies and Evaluates System Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-11 Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-12 Creates Baseline Configuration of IT Technology3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-13 Provides for Changes Necessary in Emergency Situations3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-14 Manages Patch Changes3
πŸ’Ό SOC 2 β†’ πŸ’Ό CC8.1-15 Considers System Resilience3