Profile Applicability:

Level 2

Description:

Establishing a log metric filter and alert for SQL instance configuration changes is recommended. This ensures that any changes, including critical misconfigurations, are monitored and addressed promptly.

Rationale:

Monitoring configuration changes in Cloud SQL instances can help mitigate security risks and maintain service reliability. Key configuration options, such as enabling auto-backups, high availability, and managing network authorizations, directly impact the security and performance of SQL instances. Detecting misconfigurations early ensures quick resolution and protects the organization’s data integrity.

Impact:

Enabling logging may incur additional costs for log storage and processing, particularly for organizations with high activity levels.

Default Value:

No log metric or alert policy is configured by default for SQL instance configuration changes.

Audit Steps:

Using Google Cloud Console:

  1. Verify Log Metric Configuration:

                         

  • Under User-defined Metrics, ensure there is a metric with the filter:
protoPayload.methodName="cloudsql.instances.update"
  1. Verify Alert Policy Configuration:

                           

  • Ensure an alert policy exists for the log metric with the following conditions:

    • Condition: Triggers for any configuration change.

    • Threshold: Greater than 0.

                               

  • Verify notification channels are configured appropriately.

                         

Using Google Cloud CLI:

  1. Verify Log Metric Configuration:

  • List all log metrics:
gcloud logging metrics list --format json
  • Confirm there is a metric with the filter:
protoPayload.methodName="cloudsql.instances.update"
  1. Verify Alert Policy Configuration:

  • List alerting policies:
gcloud alpha monitoring policies list --format json
  • Confirm a policy exists where:
  • Filter: Matches the metric.

  • Enabled: true.

Remediation Steps:

Using Google Cloud Console:

  1. Create a Log Metric:

                     

                   

  • Configure the metric:

Filter:

protoPayload.methodName="cloudsql.instances.update"
  • Type: Counter.

  • Units: 1 (default).

                                 

  • Click Create Metric.

                           

  1. Create an Alert Policy:

    • Locate the new metric under User-defined Metrics.

                           

  • Click the three-dot menu and select Create alert from Metric.

  • Configure the alert policy:

    • Condition:

      • Aggregator: Count.

      • Threshold: Greater than 0.

    • Configure notification channels as needed.

  • Save the policy.

                               

Using Google Cloud CLI:

Create a Log Metric:

gcloud logging metrics create <metric-name> \
  --description="Monitor SQL instance configuration changes" \
  --log-filter="protoPayload.methodName='cloudsql.instances.update'"

Create an Alert Policy:

gcloud alpha monitoring policies create \
  --display-name="<policy-name>" \
  --conditions="<condition-config>" \
  --notification-channels="<notification-channels>"

References:

  1. Logs-Based Metrics Documentation

  2. Custom Metrics in Monitoring

  3. Alerts in Monitoring

  4. Cloud Logging CLI Reference

  5. Cloud SQL MySQL Documentation

  6. Cloud SQL PostgreSQL Documentation

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

8.2 Collect Audit Logs

Enable audit logging across enterprise assets.

8.5 Collect Detailed Audit Logs

Capture detailed logs, including event source, date, user, timestamp, and more.


6.2 Activate Audit Logging

Ensure local logging is enabled on all systems and devices.

6.3 Enable Detailed Logging

Include event source, user details, and timestamp in logs.