Profile Applicability:

  • Level 1

Description:

It is recommended to enforce SSL encryption for all incoming connections to Cloud SQL database instances to enhance security.

Rationale:

Unencrypted SQL database connections are vulnerable to interception (e.g., MITM attacks), potentially exposing sensitive information like credentials, queries, and data. Enforcing SSL ensures that all data transmitted between clients and the database instance is encrypted. This recommendation applies to PostgreSQL, MySQL (Generations 1 and 2), and SQL Server 2017 instances.

Impact:

Enforcing SSL encryption will prevent existing clients from connecting to the database unless they use SSL for communication. This ensures secure connections but may require configuration updates for existing clients.

Default Value:

By default, the settings.ipConfiguration.sslMode parameter is not set, which allows both encrypted and unencrypted connections (ALLOW_UNENCRYPTED_AND_ENCRYPTED).

Audit Steps:

Using Google Cloud Console:
  1. Navigate to the Cloud SQL Instances page.

                   

  1. Click on the name of the SQL instance to view its configuration.

       

  1. In the left-hand menu, select Connections.

                         

  1. Verify that the Allow only SSL connections option is enabled in the Security section.

               

Using Google Cloud CLI:

Execute the following command to retrieve the configuration of all SQL database instances:

gcloud sql instances list --format=json
  1. Ensure the settings .ip Configuration. ssl Mode parameter is set to ENCRYPTED_ONLY.

Remediation Steps:

Using Google Cloud Console:
  1. Navigate to the Cloud SQL Instances page.

                         

  1. Select the desired instance to view its configuration.

             

  1. In the left-hand menu, click on Connections.

                         

  1. In the Security section, enable the Allow only SSL connections option.

         

  1. Under Configure SSL server certificates, click Create new certificate and save the changes.

               

                 

Using Google Cloud CLI:

Enforce SSL encryption for a specific instance by running the following command:

gcloud sql instances patch INSTANCE --ssl-mode=ENCRYPTED_ONLY
  1. For MySQL Generation 1 instances (backend Type: FIRST_GEN), a restart is required to apply this configuration.

Backout Plan:

Step 1: Revert Configuration

If enforcing SSL causes application failures, revert the sett

gcloud sql instances patch <INSTANCE_NAME> --ssl-mode=ALLOW_UNENCRYPTED_AND_ENCRYPTED

Alternatively, use Cloud SQL Console to disable the "Allow only SSL connections" option.

Step 2: Notify Stakeholders

  • If rollback is necessary, inform application teams about the temporary removal of SSL enforcement.

  • Schedule a future reassessment to enable SSL with proper client updates.

Step 3: Restore from Backup (If Necessary)

  • If configuration issues persist, restore the SQL instance from a previously taken snapshot or backup.

Step 4: Validate Rollback Success

  • Run the audit steps again to confirm that unencrypted connections are now allowed.

  • Ensure that applications function normally without SSL enforcement

References:

  1. Google Cloud: Configure SSL for PostgreSQL Instances

Additional Information:

  • By default, if no authorized networks are configured under settings.ipConfiguration, the instance cannot be accessed from outside the network. However, enabling SSL (ENCRYPTED_ONLY) ensures that all connections—including those added later—use encrypted communication.

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

3.10 Encrypt Sensitive Data in Transit

Encrypt sensitive data during transmission using protocols like TLS or OpenSSH.


14.4 Encrypt All Sensitive Information in Transit

Ensure all sensitive information is encrypted when transmitted across networks.


16.5 Encrypt Transmittal of Usernames and Credentials

Ensure all authentication credentials are transmitted using encrypted channels.