Ensure GCP PostgreSQL instance database flag log_min_duration_statement is set to -1

Error: GCP PostgreSQL instance database flag log_min_duration_statement is not set to -1

Bridgecrew Policy ID: BC_GCP_SQL_8
Checkov Check ID: CKV_GCP_57
Severity: LOW

GCP PostgreSQL instance database flag log_min_duration_statement is not set to -1

Description

Logging SQL statements may include sensitive information that should not be recorded in logs. This recommendation is applicable to PostgreSQL database instances. The log_min_duration_statement database flag defines the minimum amount of execution time in milliseconds of a statement where the total duration of the statement is logged.

We recommend you ensure the log_min_duration_statement database flag for Cloud SQL PostgreSQL instances is disabled. To achieve this, set the value to -1.

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to Cloud SQL Instances.
  3. Select the PostgreSQL instance where the database flag needs to be enabled.
  4. Click Edit.
  5. Scroll down to the Flags section.
  6. To set a flag that has not been set on the instance before, click Add item.
  7. Select the flag og_min_duration_statement from the drop-down menu, and set its value to -1.
  8. Click Save.
  9. Confirm the changes in the Flags section on the Overview page.

CLI Command

  1. List all Cloud SQL database instances using the following command:
    gcloud sql instances list
  2. Configure the log_min_duration_statement flag for every Cloud SQL PosgreSQL database instance using the below command:
    gcloud sql instances patch INSTANCE_NAME --database-flags log_min_duration_statement=-1

📘

Note

This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).

Fix - Buildtime

Terraform

  • Resource: google_sql_database_instance
  • Arguments:
    databaseversion = "POSTGRES* "
    settings::database_flags: key:"log_min_duration_statement", value: by default set to -1
resource "google_sql_database_instance" "default" {
  name             = "master-instance"
  database_version = "POSTGRES_11"
  region           = "us-central1"

  settings {
+         database_flags {
+            name  = "log_min_duration_statement"
+            value = "-1"
          }
  }
}