Profile Applicability:

  • Level 1

Description:

Cloud SQL database instances should restrict connections to trusted networks or IP addresses, avoiding access from public IPs.

Rationale:

Restricting database access to trusted or known IPs minimizes the attack surface. Configuring authorized networks with 0.0.0.0/0 allows unrestricted global access, increasing security risks. This applies only to instances with public IPs.

Impact:

Cloud SQL database instances will not be accessible from public IP addresses unless explicitly allowed. Applications or users relying on public IPs must update configurations to use private networks or specific trusted IPs.

Default Value:

By default, authorized networks are not configured, and remote connections to Cloud SQL database instances are not possible unless explicitly authorized.

Audit Steps:

Using Google Cloud Console
  1. Navigate to the Cloud SQL Instances page.

                                 

  1. Select the instance to open its details page.

       

  1. Under the Configuration section, click Edit configurations.

           

  1. Expand the Connectivity section.

             

  1. Ensure no authorized network is configured with the value 0.0.0.0/0.

                   

Using Google Cloud CLI:

Retrieve detailed configurations for all Cloud SQL instances:

gcloud sql instances list --format=json
  1. Check the settings. ip Configuration. authorized Networks section to verify that no parameter contains 0.0.0.0/0.

Remediation Steps:

Using Google Cloud Console
  1. Navigate to the Cloud SQL Instances page.

                 

  1. Select the instance to open its details page.

         

  1. Under the Configuration section, click Edit configurations.

               

  1. Expand the Connectivity section.

             

  1. Delete any authorized network entry with 0.0.0.0/0.

                 

  1. Click Save to apply changes.

                   

Using Google Cloud CLI

Update the authorized network list to remove public IPs:

gcloud sql instances patch <INSTANCE_NAME> --authorized-networks=IP_ADDR1,IP_ADDR2,...

Prevention:

To avoid configuring new SQL instances with public IP access, implement the Restrict Authorized Networks on Cloud SQL Instances policy.
Restrict Authorized Networks Policy.

Backout Plan:

Step 1: Revert Configuration

If removing public access causes service disruption, re-add the necessary authorized IPs

gcloud sql instances patch <INSTANCE_NAME> --authorized-networks=IP_ADDR1,IP_ADDR2

  • Only add trusted IPs instead of 0.0.0.0/0.

Step 2: Notify Stakeholders

  • If rollback is required, inform developers and database administrators about temporary access adjustments.

Step 3: Restore from Backup (If Necessary)

  • If access configuration issues persist, restore the SQL instance from a previously taken snapshot or backup.

Step 4: Validate Rollback Success

  • Run the audit steps again to confirm that access is restored only for necessary IPs.

References:

  1. Configuring IP Connections for Cloud SQL

  2. Cloud SQL Connection Policies

Additional Information:

Currently, Google Cloud SQL services do not support IPv6 configurations.

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

3.3 Configure Data Access Control Lists

Restrict database access using access control lists, allowing connections only from trusted networks.

14.6 Protect Information Through Access Control Lists

Use access control lists to ensure only authorized individuals can access the database.