Skip to main content

lacework-global-271

6.4 Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL (Automated)

Profile Applicability

• Level 1

Description

Best practices recommend enforcing all incoming connections to SQL database instance to use SSL.

Rationale

SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1, MySql generation 2 and SQL Server 2017 instances.

Impact

After enforcing SSL connection, existing client will not be able to communicate with SQL server unless configured with appropriate client-certificates to communicate to SQL database instance.

Audit

From Console:

  1. Go to https://console.cloud.google.com/sql/instances.

  2. Click on an instance name to see its configuration overview.

  3. In the left-side panel, select Connections.

  4. In the SSL connections section, ensure that Only secured connections are allowed to connect to this instance..

From Command Line:

  1. Get the detailed configuration for every SQL database instance using the following command:
gcloud sql instances list --format=json

Ensure that section settings: ipConfiguration has the parameter requireSsl set to true.

Remediation

From Console:

  1. Go to https://console.cloud.google.com/sql/instances.

  2. Click an instance name to see its configuration overview.

  3. In the left-side panel, select Connections.

  4. In the SSL connections section, click Allow only SSL connections.

  5. Under Configure SSL server certificates click Create new certificate.

  6. Under Configure SSL client certificates click Create a client certificate.

  7. Follow the instructions shown to learn how to connect to your instance.

From Command Line:

To enforce SSL encryption for an instance run the command:

gcloud sql instances patch <instance_name> --require-ssl
note

You must restart type MySQL Generation 1 Instances (backendType: FIRST_GEN) to get this configuration in effect.

References

https://cloud.google.com/sql/docs/postgres/configure-ssl-instance/

Additional Information

By default Settings: ipConfiguration has no authorizedNetworks set/configured. In that case even if by default requireSsl is not set, which is equivalent to requireSsl:false there is no risk as instance is inaccessible outside of the network without authorizedNetworks configured. However, if default for requireSsl is not updated to true any authorizedNetworks created do not enforce SSL only connection.

Last updated on