Skip to main content

💼 6 Cloud SQL Database Services

  • Contextual name: 💼 6 Cloud SQL Database Services
  • ID: /frameworks/cis-gcp-v3.0.0/06
  • Located in: 💼 CIS GCP v3.0.0

Description

This section covers security recommendations to follow to secure Cloud SQL database services.

The recommendations in this section on setting up database flags are also present in the CIS Oracle MySQL Community Server 5.7 Benchmarks and in the CIS PostgreSQL 12 Benchmarks. We, nevertheless, include them here as well, the remediation instructions are different on Cloud SQL. Settings these flags require superuser privileges and can only be configured through GCP controls.

Learn more at: https://cloud.google.com/sql/docs/postgres/users and https://cloud.google.com/sql/docs/mysql/flags.

Similar

  • Internal
    • ID: dec-b-b2b77fe9

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlags
💼 6.1 MySQL Database3
    💼 6.1.1 Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges - Level 1 (Manual)1
    💼 6.1.2 Ensure ‘Skip_show_database’ Database Flag for Cloud SQL MySQL Instance Is Set to ‘On’ - Level 1 (Automated)1
    💼 6.1.3 Ensure That the ‘Local_infile’ Database Flag for a Cloud SQL MySQL Instance Is Set to ‘Off’ - Level 1 (Automated)1
💼 6.2 PostgreSQL Database8
    💼 6.2.1 Ensure ‘Log_error_verbosity’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘DEFAULT’ or Stricter - Level 2 (Automated)1
    💼 6.2.2 Ensure That the ‘Log_connections’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘On’ - Level 1 (Automated)1
    💼 6.2.3 Ensure That the ‘Log_disconnections’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘On’ - Level 1 (Automated)1
    💼 6.2.4 Ensure ‘Log_statement’ Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately - Level 2 (Automated)1
    💼 6.2.5 Ensure that the ‘Log_min_messages’ Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning' - Level 1 (Automated)1
    💼 6.2.6 Ensure ‘Log_min_error_statement’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to ‘Error’ or Stricter - Level 1 (Automated)1
    💼 6.2.7 Ensure That the ‘Log_min_duration_statement’ Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1' (Disabled) - Level 1 (Automated)1
    💼 6.2.8 Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging - Level 1 (Automated)1
💼 6.3 SQL Server7
    💼 6.3.1 Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)1
    💼 6.3.2 Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)1
    💼 6.3.3 Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value - Level 1 (Automated)1
    💼 6.3.4 Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured - Level 1 (Automated)1
    💼 6.3.5 Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' - Level 1 (Automated)1
    💼 6.3.6 Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on' - Level 1 (Automated)1
    💼 6.3.7 Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is not set to 'on' - Level 1 (Automated)1
💼 6.4 Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL - Level 1 (Automated)1
💼 6.5 Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses - Level 1 (Automated)1
💼 6.6 Ensure That Cloud SQL Database Instances Do Not Have Public IPs - Level 2 (Automated)1
💼 6.7 Ensure That Cloud SQL Database Instances Are Configured With Automated Backups - Level 1 (Automated)1