Skip to main content

💼 6 Cloud SQL Database Services

  • ID: /frameworks/cis-gcp-v4.0.0/06

Description​

This section covers security recommendations to follow to secure Cloud SQL database services.

The recommendations in this section on setting up database flags are also present in the CIS Oracle MySQL Community Server 5.7 Benchmarks and in the CIS PostgreSQL 12 Benchmarks. We, nevertheless, include them here as well, the remediation instructions are different on Cloud SQL. Settings these flags require superuser privileges and can only be configured through GCP controls.

Learn more in the Cloud SQL PostgreSQL users documentation and the Cloud SQL MySQL flags documentation.

Similar​

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 6.1 MySQL Database33no data
 💼 6.1.1 Ensure That a MySQL Instance Does Not Allow Anyone To Connect With Administrative Privileges - Level 1 (Manual)1no data
 💼 6.1.2 Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On' - Level 1 (Automated)1no data
 💼 6.1.3 Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off' - Level 1 (Automated)1no data
💼 6.2 PostgreSQL Database88no data
 💼 6.2.1 Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter - Level 2 (Automated)1no data
 💼 6.2.2 Ensure That the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' - Level 1 (Automated)1no data
 💼 6.2.3 Ensure That the 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' - Level 1 (Automated)1no data
 💼 6.2.4 Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately - Level 2 (Automated)1no data
 💼 6.2.5 Ensure that the 'Log_min_messages' Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning' - Level 1 (Automated)1no data
 💼 6.2.6 Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter - Level 1 (Automated)1no data
 💼 6.2.7 Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1' (Disabled) - Level 1 (Automated)1no data
 💼 6.2.8 Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging - Level 1 (Automated)1no data
💼 6.3 SQL Server77no data
 💼 6.3.1 Ensure 'external scripts enabled' Database Flag for Cloud SQL SQL Server Instance Is Set to 'off' - Level 1 (Automated)1no data
 💼 6.3.2 Ensure 'cross db ownership chaining' Database Flag for Cloud SQL SQL Server Instance Is Set to 'off' - Level 1 (Automated)1no data
 💼 6.3.3 Ensure 'user Connections' Database Flag for Cloud SQL SQL Server Instance Is Set to a Non-limiting Value - Level 1 (Automated)1no data
 💼 6.3.4 Ensure 'user options' Database Flag for Cloud SQL SQL Server Instance Is Not Configured - Level 1 (Automated)1no data
 💼 6.3.5 Ensure 'remote access' Database Flag for Cloud SQL SQL Server Instance Is Set to 'off' - Level 1 (Automated)1no data
 💼 6.3.6 Ensure '3625 (trace flag)' Database Flag for all Cloud SQL SQL Server Instances Is Set to 'on' - Level 1 (Automated)1no data
 💼 6.3.7 Ensure 'contained database authentication' Database Flag for Cloud SQL SQL Server Instance Is Set to 'off' - Level 1 (Automated)1no data
💼 6.4 Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL - Level 1 (Automated)1no data
💼 6.5 Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses - Level 1 (Automated)1no data
💼 6.6 Ensure That Cloud SQL Database Instances Do Not Have Public IPs - Level 2 (Automated)1no data
💼 6.7 Ensure That Cloud SQL Database Instances Are Configured With Automated Backups - Level 1 (Automated)1no data