Control: 6.1.1 Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges
Description
It is recommended to set a password for the administrative user (root by default) to prevent unauthorized access to the SQL database instances.
This recommendation is applicable only for MySQL Instances. PostgreSQL does not offer any setting for No Password from the cloud console.
At the time of MySQL Instance creation, not providing an administrative password allows anyone to connect to the SQL database instance with administrative privileges. The root password should be set to ensure only authorized users have these privileges.
Remediation
From Console
- Go to the Cloud SQL Instances page in the Google Cloud Platform Console using
https://console.cloud.google.com/sql/ - Select the instance to open its Overview page.
- Select
Access Control > Users. - Click the
More actions iconfor the user to be updated. - Select
Change password, specify aNew password, and clickOK.
From Command Line
- Set a password to a MySql instance:
gcloud sql users set-password root --host=<host> --instance=<instance_name> --prompt-for-password- A prompt will appear, requiring the user to enter a password:
Instance Password:- With a successful password configured, the following message should be seen:
Updating Cloud SQL user...done.Default Value
From the Google Cloud Platform Console, the Create Instance workflow enforces the rule to enter the root password unless the option No Password is selected explicitly.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v200_6_1_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v200_6_1_1 --shareSQL
This control uses a named query:
manual_control