lacework-global-271
6.4 Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL (Automated)
Profile Applicability
• Level 1
Description
It is recommended to enforce all incoming connections to SQL database instance to use SSL.
Rationale
SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1, MySql generation 2 and SQL Server 2017 instances.
Impact
After enforcing SSL connection, existing client will not be able to communicate with SQL server unless configured with appropriate client-certificates to communicate to SQL database instance.
Audit
From Console:
Click on an instance name to see its configuration overview.
In the left-side panel, select
Connections
.In the
SSL connections
section, ensure thatOnly secured connections are allowed to connect to this instance.
.
From Command Line:
- Get the detailed configuration for every SQL database instance using the following command:
gcloud sql instances list --format=json
Ensure that section settings: ipConfiguration
has the parameter requireSsl
set to true
.
Remediation
From Console:
Click on an instance name to see its configuration overview.
In the left-side panel, select
Connections
.In the
SSL connections
section, clickAllow only SSL connections
.Under
Configure SSL server certificates
clickCreate new certificate
.Under
Configure SSL client certificates
clickCreate a client certificate
.Follow the instructions shown to learn how to connect to your instance.
From Command Line:
To enforce SSL encryption for an instance run the command:
gcloud sql instances patch <INSTANCE_NAME> --require-ssl
note
RESTART
is required for type MySQL Generation 1 Instances (backendType: FIRST_GEN
) to get this configuration in effect.
References
https://cloud.google.com/sql/docs/postgres/configure-ssl-instance/
Additional Information
By default Settings: ipConfiguration
has no authorizedNetworks
set/configured. In that case even if by default requireSsl
is not set, which is equivalent to requireSsl:false
there is no risk as instance cannot be accessed outside of the network unless authorizedNetworks
are configured. However, If default for requireSsl
is not updated to true
any authorizedNetworks
created later on will not enforce SSL only connection.