Profile Applicability:

  • Level 1

Description:

It is recommended to enable automated backups for all Cloud SQL database instances to safeguard data against loss or damage.

Rationale:

Automated backups provide a mechanism to restore a Cloud SQL instance in case of data loss, corruption, or operational failures. They ensure business continuity by preserving critical data, which is essential for SQL Server, PostgreSQL, MySQL Generation 1, and MySQL Generation 2 instances.

Impact:

Enabling automated backups increases the storage requirements and associated costs. Ensure you have sufficient storage and budget allocated.

Default Value:

By default, automated backups are not enabled for Cloud SQL database instances. Data backups will not occur unless explicitly configured.

Audit Steps:

Using Google Cloud Console:

  1. Navigate to the Cloud SQL Instances page.

               

  1. Select an instance to view its details.

               

  1. Go to the Backups menu.

             

  1. Confirm that Automated backups is enabled and a backup time is specified.

               

Using Google Cloud CLI:

List all Cloud SQL database instances:

gcloud sql instances list --format=json | jq '. | map(select(.instanceType != "READ_REPLICA_INSTANCE")) | .[].name'

  1. Note: The command excludes read-replica instances as automated backups are not available for them.

Verify that automated backups are enabled for each instance:

gcloud sql instances describe <INSTANCE_NAME> --format="value(settings.backupConfiguration.enabled)"

  1. The output should return True for all Cloud SQL database instances.

Remediation Steps:

Using Google Cloud Console:

  1. Navigate to the Cloud SQL Instances page.

                     

  1. Select the instance for which backups need to be enabled.

                 

  1. Click Edit.

                

  1. In the Backups section, check Enable automated backups and set a backup window.

                 

  1. Click Save to apply the changes.

                   

Using Google Cloud CLI:

List all non-read-replica instances:

gcloud sql instances list --format=json | jq '. | map(select(.instanceType != "READ_REPLICA_INSTANCE")) | .[].name'

Enable automated backups for each instance:

gcloud sql instances patch <INSTANCE_NAME> --backup-start-time <HH:MM>

Note:

  • <HH:MM> specifies the start time of a 4-hour backup window in UTC±00 time zone.

  • Ensure backups are configured during low-usage periods to minimize disruptions.

Backout Plan:

Step 1: Revert Configuration

If automated backups need to be disabled, run:

gcloud sql instances patch <INSTANCE_NAME> --no-backup

Alternatively, use Cloud SQL Console to disable automated backups.

Step 2: Notify Stakeholders

  • If rollback is required, inform DB administrators and IT teams about backup changes.

Step 3: Restore from Backup (If Necessary)

  • If an issue arises, restore the SQL instance from the most recent backup.

Step 4: Validate Rollback Success

  • Run the audit steps again to confirm that backups are disabled (if intentional).

Ensure that applications continue to functions normally.

References:

  1. MySQL Backup and Recovery

  2. PostgreSQL Backup and Recovery

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

11.2 Perform Automated Backups

Regularly perform automated backups for enterprise assets based on data sensitivity.

10.1 Ensure Regular Automated Backups

Automatically back up system data on a regular basis to prevent data loss.