Profile Applicability:
- Level 1
Description:
It is recommended to ensure that the contained database authentication database flag for Cloud SQL SQL Server instances is not set to on.
Rationale:
A contained database includes all the settings and metadata required to define the database, eliminating dependencies on the SQL Server instance where it is installed. When this flag is enabled, users can connect directly to the database without authenticating at the Database Engine level. While this improves database portability, it introduces security risks by moving the authentication boundary to the database level. This can be exploited if the USER WITH PASSWORD authentication is not properly secured. To mitigate such risks, it is recommended to disable this flag.
Impact:
When contained database authentication is disabled (off), contained databases cannot be created or attached to the Database Engine.
Mismanaged logs or incorrect configuration of flags may result in increased storage costs or operational issues.
Changes to database flags via the command line reset all previously set flags to their default values unless explicitly included in the command.
Default Value:
By default, the contained database authentication flag is not enabled (off).
Audit Steps:
Using Google Cloud Console:
Navigate to the Cloud SQL Instances page.
Select the SQL Server instance to open its Instance Overview page.
In the Database Flags section, verify that the contained database authentication flag is either absent or not set to on.
Using Google Cloud CLI:
Run the following command for each SQL Server instance:
gcloud sql instances describe <instance1> --format=json | jq '.settings.databaseFlags[] | select(.name=="contained database authentication")|.value'Confirm that the flag is either not present or its value is off.
Remediation Steps:
Using Google Cloud Console:
Navigate to the Cloud SQL Instances page.
Select the SQL Server instance where the flag needs to be modified.
Click Edit.
Scroll to the Flags section.
If the contained database authentication flag is present and set to on, change its value to off.
Click Save to apply the changes.
Verify the changes under the Flags section on the Overview page.
Using Google Cloud CLI:
Disable the contained database authentication flag using the following command:
gcloud sql instances patch <INSTANCE_NAME> --database-flags "contained database authentication=off"To retain other flags while disabling this one, include all required flags in the command. Any flag not specified will be reset to its default value.
Backout Plan:
Step 1: Revert Configuration
If disabling Contained Database Authentication causes issues, re-enable it by running:
gcloud sql instances patch <INSTANCE_NAME> --database-flags "contained database authentication=on"
Alternatively, use Cloud SQL Console to re-enable the flag.
Step 2: Restore from Backup (If Necessary)
If the issue persists, restore the Cloud SQL instance from a previously taken snapshot or backup.
Step 3: Validate Rollback Success
Run the audit steps again to confirm that the contained database authentication flag is enabled.
Ensure that applications and authentication processes are functioning as expected.
Step 4: Document the Rollback
Update internal security policies and incident reports if necessary.
Plan a future reassessment to disable Contained Database Authentication securely.
References:
Additional Information:
Changing the contained database authentication flag may require the SQL Server instance to restart, potentially affecting availability.
Some database flag changes may impact stability or remove the instance from the Cloud SQL SLA. Refer to the Operational Guidelines for more details.
CIS Controls: