Ensure GCP compute firewall ingress does not allow unrestricted MySQL access

Error: GCP Firewall rule allows all traffic on MySQL DB port (3306)
Bridgecrew Policy ID: BC_GCP_NETWORKING_15
Checkov Check ID: CKV_GCP_88
Severity: LOW

Suggest Edits

GCP Firewall rule allows all traffic on MySQL DB port (3306)

Description

It is a best practice to ensure that your firewall ingress rules do not allow unrestricted access to your MySQL database, as it can increase the risk of unauthorized access or attacks on your database. By restricting access to only specific IP addresses or ranges that you trust, you can help secure your database from potential threats. Additionally, you can use tools like SSL/TLS to encrypt the connection between your database and client, which can help protect against interception of sensitive data.

Fix - Runtime

Fix - Buildtime

Terraform

resource "google_compute_firewall" "restricted" {
  name    = "example"
  network = "google_compute_network.vpc.name"

  allow {
    protocol = "tcp"
    ports    = ["3306"]
  }

  source_ranges = ["172.1.2.3/32"]
}

Updated 9 months ago