Control: 6.5 Ensure that Cloud SQL database instances are not open to the world
Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from the world.
To minimize attack surface on a Database server instance, only trusted/known and required IP(s) should be white-listed to connect to it.
An authorized network should not have IPs/networks configured to 0.0.0.0/0 which will allow access to the instance from anywhere in the world. Note that authorized networks apply only to instances with public IPs.
This recommendation is applicable for PostgreSQL, MySQL generation 1, MySQL generation 2 and SQL Server 2017 instances.
- Login in to Cloud SQL Instances
- Select the SQL Server instance to open details page.
- Under Configuration section
- Click on Edit Configurations
- In the edit page, navigate to Flags and Parameters section
Configurationoptions expand the
- Click the delete icon for the authorized network 0.0.0.0/0.
- Click Save to update the instance
From Command Line
Update the authorized network list by dropping off any addresses
gcloud sql instances patch INSTANCE_NAME --authorizednetworks=IP_ADDR1,IP_ADDR2,...
Note: By default, authorized networks are not configured. Remote connection to Cloud SQL database instance is not possible unless authorized networks are configured.
steampipe check gcp_compliance.control.cis_v120_6_5
This control uses a named query:sql_instance_not_open_to_internet