Profile Applicability:
- Level 1
Description:
Cloud SQL database instances should restrict connections to trusted networks or IP addresses, avoiding access from public IPs.
Rationale:
Restricting database access to trusted or known IPs minimizes the attack surface. Configuring authorized networks with 0.0.0.0/0 allows unrestricted global access, increasing security risks. This applies only to instances with public IPs.
Impact:
Cloud SQL database instances will not be accessible from public IP addresses unless explicitly allowed. Applications or users relying on public IPs must update configurations to use private networks or specific trusted IPs.
Default Value:
By default, authorized networks are not configured, and remote connections to Cloud SQL database instances are not possible unless explicitly authorized.
Audit Steps:
Using Google Cloud Console
Navigate to the Cloud SQL Instances page.
Select the instance to open its details page.
Under the Configuration section, click Edit configurations.
Expand the Connectivity section.
Ensure no authorized network is configured with the value 0.0.0.0/0.
Using Google Cloud CLI:
Retrieve detailed configurations for all Cloud SQL instances:
gcloud sql instances list --format=json
Check the settings. ip Configuration. authorized Networks section to verify that no parameter contains 0.0.0.0/0.
Remediation Steps:
Using Google Cloud Console
Navigate to the Cloud SQL Instances page.
Select the instance to open its details page.
Under the Configuration section, click Edit configurations.
Expand the Connectivity section.
Delete any authorized network entry with 0.0.0.0/0.
Click Save to apply changes.
Using Google Cloud CLI
Update the authorized network list to remove public IPs:
gcloud sql instances patch <INSTANCE_NAME> --authorized-networks=IP_ADDR1,IP_ADDR2,...
Prevention:
To avoid configuring new SQL instances with public IP access, implement the Restrict Authorized Networks on Cloud SQL Instances policy.
Restrict Authorized Networks Policy.
Backout Plan:
Step 1: Revert Configuration
If removing public access causes service disruption, re-add the necessary authorized IPs
gcloud sql instances patch <INSTANCE_NAME> --authorized-networks=IP_ADDR1,IP_ADDR2
Only add trusted IPs instead of 0.0.0.0/0.
Step 2: Notify Stakeholders
- If rollback is required, inform developers and database administrators about temporary access adjustments.
Step 3: Restore from Backup (If Necessary)
If access configuration issues persist, restore the SQL instance from a previously taken snapshot or backup.
Step 4: Validate Rollback Success
Run the audit steps again to confirm that access is restored only for necessary IPs.
References:
Additional Information:
Currently, Google Cloud SQL services do not support IPv6 configurations.
CIS Controls: