Ensure Cloud SQL database instances are not publicly accessible

Error: Cloud SQL database instances are publicly accessible

Bridgecrew Policy ID: BC_GCP_NETWORKING_4
Checkov Check ID: CKV_GCP_11
Severity: HIGH

Cloud SQL database instances are publicly accessible

Description

Cloud SQL is a fully managed relational database service for MySQL, PostgreSQL, and SQL Server. It offers data encryption at rest and in transit, Private connectivity with VPC and user-controlled network access with firewall protection.

It is possible to configure Cloud SQL to have a public IPv4 address. This means your cluster can accept connections from specific IP addresses, or a range of addresses, by adding authorized addresses to your instance. We do not recommend this option.

We recommend you ensure Cloud SQL Database Instances are not publicly accessible, to help secure against attackers scanning the internet in search of public databases.

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to the Cloud SQL Instances page.
  3. Click the instance name to open its Overview page.
  4. Select the Connections tab.
  5. Select Private IP checkbox.
  6. A drop-down list shows the available networks in your project. If your project is the service project of a Shared VPC, VPC networks from the host project are also shown.

If you have configured private services access:
Select the VPC Network you want to use

  1. A drop-down shows the IP address range you allocated.
  2. Click Connect.
  3. Click Save.

To let Cloud SQL allocate an IP address for you.

  1. Select the default VPC network.
  2. Click Allocate and connect.
  3. Click Save.

CLI Command

VPC_NETWORK_NAME is the name of your chosen VPC network, for example: my-vpc-network. The --network parameter value is in the format: https://www.googleapis.com/compute/alpha/projects/[PROJECT_ID]/global/networks/[VPC_NETWORK_NAME]

gcloud --project=[PROJECT_ID] beta sql instances patch [INSTANCE_ID]
       --network=[VPC_NETWORK_NAME]
       --no-assign-ip

Fix - Buildtime

Terraform

  • Resource: google_compute_network
  • Argument: private_network (Optional)
    The VPC network from which the Cloud SQL instance is accessible for private IP. For example, projects/myProject/global/networks/default. Specifying a network enables private IP. Either ipv4_enabled must be enabled or a private_network must be configured. This setting can be updated, but it cannot be removed after it is set.
resource "google_compute_network" "private_network" {
  provider = google-beta

  name = "private-network"
}

resource "google_compute_global_address" "private_ip_address" {
  provider = google-beta

  name          = "private-ip-address"
  purpose       = "VPC_PEERING"
  address_type  = "INTERNAL"
  prefix_length = 16
  network       = google_compute_network.private_network.id
}