Check for Publicly Accessible Cloud SQL Database Instances

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that your Google Cloud SQL database instances are configured to accept connections from trusted networks and IP addresses only.

Security

When an SQL database instance authorized network is configured to allow public access (i.e. 0.0.0.0/0), any IPv4 client can bypass the network firewall and perform login attempts to that instance (clients still need valid credentials to successfully log in to your database). To minimize the attack surface on SQL databases and their applications, only trusted and required IPs and networks should be whitelisted for login access.


Audit

To determine if your Cloud SQL database instances are configured to allow access to anyone on the Internet, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud SQL Instances dashboard at https://console.cloud.google.com/sql/instances.

04 Click on the name (ID) of the database instance that you want to examine.

05 In the navigation panel, select Connections to access the connectivity configuration information available for the selected database instance.

06 In the Connectivity section, under Public IP, check for any authorized networks configured to allow access to anyone on the Internet (i.e. 0.0.0.0/0). If there are any authorized networks with the Network configuration field set to 0.0.0.0/0, the selected Google Cloud SQL database instance is publicly accessible.

07 Repeat step no. 4 – 6 to check the authorized network configuration for other Cloud SQL instances available within the selected project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project identifiers:

PROJECT_ID
cc-mobile-project-123123
cc-ml-app-project-123123

03 Run sql instances list command (Windows/macOS/Linux) using custom filtering to describe the name of each Cloud SQL database instance provisioned for the selected Google Cloud project:

gcloud sql instances list
	--project cc-mobile-project-123123
	--format="(NAME)"

04 The command output should return the requested database instance name(s):

NAME
cc-mobile-db-instance
cc-web-int-db-instance

05 Run sql instances describe command (Windows/macOS/Linux) using the name of the Cloud SQL database instance that you want to examine as identifier parameter and custom output filtering to describe the IPv4 address/IPv4 range of the authorized network(s) configured for the selected database instance:

gcloud sql instances describe cc-mobile-db-instance
	--format=json | jq '.settings.ipConfiguration.authorizedNetworks[].value'

06 The command output should return the requested authorized network(s) details:

"0.0.0.0/0"

If the sql instances describe command output contains "0.0.0.0/0", there is at least one authorized network that allows database access to anyone on the Internet (i.e. 0.0.0.0/0), therefore the selected Google Cloud SQL database instance is publicly accessible.

07 Repeat step no. 5 and 6 to verify the authorized network configuration for other Cloud SQL instances created for the selected project.

08 Repeat steps no. 3 – 7 for each project available within your Google Cloud account.

Remediation / Resolution

To restrict public access to your Google Cloud SQL database instances by updating their authorized network configuration, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud SQL Instances dashboard at https://console.cloud.google.com/sql/instances.

04 Click on the name/ID of the database instance that you want to reconfigure.

05 In the navigation panel, select Connections to access the connectivity configuration information available for the selected database instance.

06 In the Connectivity section, under Authorized networks, perform the following actions:

  1. Delete the authorized network configured to allow access to anyone on the Internet (i.e. 0.0.0.0/0), by clicking the delete button available on the authorized network header.
  2. If required, click Add network button to configure a new authorized network for the selected instance. On the New network panel, in the Network box, enter the IP address or IP address range you want to allow connections from. The authorized IP address/IP range must use the CIDR format (e.g. 10.50.51.5/32). Optionally, enter a name for the new entry in the Name box. Click Done to close the configuration panel.
  3. Click Save to apply the changes.

07 Repeat step no. 4 – 6 for other publicly accessible Cloud SQL database instances available within the selected project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

Using GCP CLI

01 To replace the insecure and non-complaint authorized network with a secure and trusted one, run sql instances patch command (Windows/macOS/Linux) using the trusted IP address you want to allow connections from, as value of the --authorized-networks configuration parameter (CIDR format). IMPORTANT: When adding new authorized networks, make sure to also include any trusted IP addresses that have been already authorized, otherwise, the existing ones will be overwritten and de-authorized:

gcloud sql instances patch cc-mobile-db-instance
	--authorized-networks="xxx.xxx.xxx.xxx/32"0

02 Type Y to confirm the instance configuration change:

When adding a new IP address to authorized networks, make sure to also include any IP addresses that have already been authorized. Otherwise, they will be overwritten and de-authorized.
Do you want to continue (Y/n)? Y

03 The output should return the sql instances patch command request status:

The following message will be used for the patch API method.
{"name": "cc-mobile-db-instance", "project": "cc-mobile-project-123123", "settings": {"ipConfiguration": {"authorizedNetworks": [{"value": "xxx.xxx.xxx.xxx/32"}]}}}
Patching Cloud SQL instance...done.
Updated [https://sqladmin.googleapis.com/sql/v1beta4/projects/cc-mobile-project-123123/instances/cc-mobile-db-instance].

04 Repeat step no. 1 – 3 for other publicly accessible Cloud SQL database instances provisioned for the selected project.

05 Repeat steps no. 1 – 4 for each project created within your Google Cloud account.

References

Publication date Apr 12, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Check for Publicly Accessible Cloud SQL Database Instances

Risk level: Medium