Profile Applicability:

  • Level 1

Description:

It is recommended to configure a password for the administrative user (typically root) on MySQL database instances. This ensures unauthorized users cannot connect with administrative privileges. This recommendation applies only to MySQL instances. For PostgreSQL, password configuration is not exposed through the cloud console.

Rationale:

When creating a MySQL database instance, not setting a password for the root user allows anyone to connect to the instance with administrative privileges. By assigning a secure password, only authorized users can access the database with administrative capabilities, reducing the risk of unauthorized access.

Impact:

Administrative clients must update their connection strings to include the password when accessing the database. Proper password management practices will be required.

Default Value:

By default, the MySQL instance creation workflow enforces a root password unless the No Password option is explicitly selected during instance setup.

Audit Steps:

Using Google Cloud CLI:

List all MySQL database instances in the project:

gcloud sql instances list --filter='DATABASE_VERSION:MYSQL*' --project <project_id> --format="(NAME,PRIMARY_ADDRESS)"

Attempt to connect to each MySQL instance using its IP address:

mysql -u root -h <mysql_instance_ip_address>

  1. Expected Results:

If the command prompts for a password or returns an error such as:

ERROR 1045 (28000): Access denied for user 'root'@'<Instance_IP>' (using password: NO)

  • This indicates the root user requires a password.

  • If the mysql> prompt is returned, it means the root user has no password, and the instance is vulnerable.

Remediation Steps:

From Google Cloud Console:

  1. Navigate to the Cloud SQL Instances page.

                             

  1. Select the target MySQL instance to open its Overview

               

  1. Go to Access Control > Users.

                               

  1. Locate the administrative user (e.g., root).

                     

  1. Click the More actions icon next to the user and select Change password.

                   

  1. Enter a secure password and click OK.

                   

From Google Cloud CLI:

Set a password for the root user on the MySQL instance:

gcloud sql users set-password root --host=<host> --instance=<instance_name> --prompt-for-password

Enter the new password when prompted:

Instance Password:

Confirm the success message:

Updating Cloud SQL user...done.

Backout plan:

  • Revert User Privileges (if privileges were mistakenly removed): To restore privileges for an authorized administrative user:

    gcloud sql users set-privileges [USER_NAME] --instance=[INSTANCE_NAME] --privileges=SUPER

    Alternatively, you can add specific privileges (like ALL PRIVILEGES for the required user):

    gcloud sql users set-privileges [USER_NAME] --instance=[INSTANCE_NAME] --privileges="ALL PRIVILEGES"

  • Review User Access:

  • After restoring access, run the following to verify:

                   gcloud sql users list --instance=[INSTANCE_NAME]

  • Ensure the users have the required privileges.

  1. Reconfigure User Access: If the previous configuration was overly restrictive or needs adjustment, you can modify user roles again through the Cloud SQL console or CLI.

  2. Notify Stakeholders:

    • Inform relevant teams that administrative privileges have been reverted.

    • Review IAM and access policies to ensure only authorized users have administrative privileges.

References:

  1. Google Cloud SQL Documentation - Managing MySQL Users

  2. Google Cloud SQL Documentation - Creating MySQL Instances

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

4.7 Manage Default Accounts

Manage default accounts, including root and other pre-configured vendor accounts. This includes disabling or securing them to prevent unauthorized access.

4.2 Change Default Passwords

Ensure all default passwords are changed before deploying new assets. Set passwords consistent with the security requirements for administrative accounts.