Skip to main content

๐Ÿ’ผ 6 Cloud SQL Database Services

  • Contextual name: ๐Ÿ’ผ 6 Cloud SQL Database Services
  • ID: /frameworks/cis-gcp-v1.2.0/06
  • Located in: ๐Ÿ’ผ CIS GCP v1.2.0

Descriptionโ€‹

This section covers security recommendations to follow to secure Cloud SQL database services.

The recommendations in this section on setting up database flags are also present in the CIS Oracle MySQL Community Server 5.7 Benchmarks and in the CIS PostgreSQL 12 Benchmarks. We, nevertheless, include them here as well, the remediation instructions are different on Cloud SQL. Settings these flags require superuser privileges and can only be configured through GCP controls.

Learn more at: https://cloud.google.com/sql/docs/postgres/users and https://cloud.google.com/sql/docs/mysql/flags.

Similarโ€‹

  • Internal
    • ID: dec-b-0938cb29

Sub Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlags
๐Ÿ’ผ 6.1 MySQL Database3
ย ย ย ย ๐Ÿ’ผ 6.1.1 Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges - Level 1 (Automated _ Roadmapped)
ย ย ย ย ๐Ÿ’ผ 6.1.2 Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on' - Level 1 (Automated)
ย ย ย ย ๐Ÿ’ผ 6.1.3 Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off' - Level 1 (Automated)
๐Ÿ’ผ 6.2 PostgreSQL Database16
ย ย ย ย ๐Ÿ’ผ 6.2.1 Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on' - Level 1 (Automated)
ย ย ย ย ๐Ÿ’ผ 6.2.2 Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter - Level 2 (Manual _ Not supported, requires a manual assessment)
ย ย ย ย ๐Ÿ’ผ 6.2.3 Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on' - Level 1 (Automated)
ย ย ย ย ๐Ÿ’ผ 6.2.4 Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on' - Level 1 (Automated)
ย ย ย ย ๐Ÿ’ผ 6.2.5 Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on' - Level 1 (Manual _ Not supported, requires a manual assessment)
ย ย ย ย ๐Ÿ’ผ 6.2.6 Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on' - Level 1 (Automated)
ย ย ย ย ๐Ÿ’ผ 6.2.7 Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately - Level 1 (Manual _ Not supported, requires a manual assessment)
ย ย ย ย ๐Ÿ’ผ 6.2.8 Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately - Level 1 (Automated _ Roadmapped)
ย ย ย ย ๐Ÿ’ผ 6.2.9 Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' - Level 2 (Automated)
ย ย ย ย ๐Ÿ’ผ 6.2.10 Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' - Level 2 (Automated)
ย ย ย ย ๐Ÿ’ผ 6.2.11 Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' - Level 2 (Automated)
ย ย ย ย ๐Ÿ’ผ 6.2.12 Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' - Level 2 (Automated)
ย ย ย ย ๐Ÿ’ผ 6.2.13 Ensure that the 'log_min_messages' database flag for Cloud SQL PostgreSQL instance is set appropriately - Level 1 (Manual)
ย ย ย ย ๐Ÿ’ผ 6.2.14 Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter - Level 1 (Automated)
ย ย ย ย ๐Ÿ’ผ 6.2.15 Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0' (on) - Level 1 (Automated)
ย ย ย ย ๐Ÿ’ผ 6.2.16 Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled) - Level 1 (Automated)
๐Ÿ’ผ 6.3 SQL Server7
ย ย ย ย ๐Ÿ’ผ 6.3.1 Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)
ย ย ย ย ๐Ÿ’ผ 6.3.2 Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)
ย ย ย ย ๐Ÿ’ผ 6.3.3 Ensure 'user connections' database flag for Cloud SQL SQL Server instance is set as appropriate - Level 1 (Automated)
ย ย ย ย ๐Ÿ’ผ 6.3.4 Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured - Level 1 (Automated)
ย ย ย ย ๐Ÿ’ผ 6.3.5 Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)
ย ย ย ย ๐Ÿ’ผ 6.3.6 Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)
ย ย ย ย ๐Ÿ’ผ 6.3.7 Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off' - Level 1 (Automated)
๐Ÿ’ผ 6.4 Ensure that the Cloud SQL database instance requires all incoming connections to use SSL - Level 1 (Automated)
๐Ÿ’ผ 6.5 Ensure that Cloud SQL database instances are not open to the world - Level 1 (Automated)
๐Ÿ’ผ 6.6 Ensure that Cloud SQL database instances do not have public IPs - Level 2 (Automated)
๐Ÿ’ผ 6.7 Ensure that Cloud SQL database instances are configured with automated backups - Level 1 (Automated)