Skip to main content

๐Ÿ’ผ 6 Cloud SQL Database Services

  • Contextual name: ๐Ÿ’ผ 6 Cloud SQL Database Services
  • ID: /frameworks/cis-gcp-v1.1.0/06
  • Located in: ๐Ÿ’ผ CIS GCP v1.1.0

Descriptionโ€‹

This section covers security recommendations to follow to secure Cloud SQL database services.

The recommendations in this section on setting up database flags are also present in the CIS Oracle MySQL Community Server 5.7 Benchmarks and in the CIS PostgreSQL 12 Benchmarks. We, nevertheless, include them here as well, the remediation instructions are different on Cloud SQL. Settings these flags require superuser privileges and can only be configured through GCP controls.

Learn more at: https://cloud.google.com/sql/docs/postgres/users and https://cloud.google.com/sql/docs/mysql/flags.

Similarโ€‹

  • Internal
    • ID: dec-b-0b64bb9c

Sub Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlags
๐Ÿ’ผ 6.1 MySQL Database2
ย ย ย ย ๐Ÿ’ผ 6.1.1 Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges
ย ย ย ย ๐Ÿ’ผ 6.1.2 Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'
๐Ÿ’ผ 6.2 PostgreSQL Database7
ย ย ย ย ๐Ÿ’ผ 6.2.1 Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'
ย ย ย ย ๐Ÿ’ผ 6.2.2 Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
ย ย ย ย ๐Ÿ’ผ 6.2.3 Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
ย ย ย ย ๐Ÿ’ผ 6.2.4 Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'
ย ย ย ย ๐Ÿ’ผ 6.2.5 Ensure that the 'log_min_messages' database flag for Cloud SQL PostgreSQL instance is set appropriately
ย ย ย ย ๐Ÿ’ผ 6.2.6 Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0' (on)
ย ย ย ย ๐Ÿ’ผ 6.2.7 Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)
๐Ÿ’ผ 6.3 SQL Server2
ย ย ย ย ๐Ÿ’ผ 6.3.1 Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
ย ย ย ย ๐Ÿ’ผ 6.3.2 Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
๐Ÿ’ผ 6.4 Ensure that the Cloud SQL database instance requires all incoming connections to use SSL
๐Ÿ’ผ 6.5 Ensure that Cloud SQL database instances are not open to the world
๐Ÿ’ผ 6.6 Ensure that Cloud SQL database instances do not have public IPs
๐Ÿ’ผ 6.7 Ensure that Cloud SQL database instances are configured with automated backups