GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Restrict Authorized Networks on Cloud SQL instances
More Info:
Ensure that “Restrict Authorized Networks on Cloud SQL instances” policy is enforced for your Google Cloud Platform (GCP) organization to deny IAM members to add authorized networks in order to provide access to your security-critical SQL database instances.
Risk Level
Medium
Address
Security, Operational Maturity
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the “Restrict Authorized Networks on Cloud SQL instances” misconfiguration on GCP using the GCP console, please follow these steps:
-
Login to your GCP Console and navigate to the Cloud SQL Instances page.
-
Select the Cloud SQL instance that you want to remediate.
-
Click on the “Edit” button at the top of the page.
-
Scroll down to the “Authorized networks” section.
-
Click on the “Add network” button.
-
In the “Network” field, enter the IP address or CIDR range of the network that you want to authorize.
-
In the “Name” field, enter a name for the network.
-
Click the “Done” button.
-
Repeat steps 5-8 for each network that you want to authorize.
-
Once you have added all the authorized networks, click on the “Save” button at the bottom of the page.
-
Verify that the authorized networks are restricted and only authorized IP addresses or CIDR ranges can access the Cloud SQL instance.
By following these steps, you have successfully remediated the “Restrict Authorized Networks on Cloud SQL instances” misconfiguration on GCP using the GCP console.
To remediate the misconfiguration of “Restrict Authorized Networks on Cloud SQL instances” for GCP using GCP CLI, follow these steps:
Step 1: Open the Google Cloud Console and select the project in which the Cloud SQL instance is located.
Step 2: Open the Cloud Shell by clicking on the icon in the top right corner of the console.
Step 3: Run the following command to get a list of all the Cloud SQL instances in the project:
gcloud sql instances list
Step 4: Identify the Cloud SQL instance that needs to be remediated and run the following command to update the authorized networks:
gcloud sql instances patch [INSTANCE_NAME] --authorized-networks [AUTHORIZED_NETWORKS]
Replace [INSTANCE_NAME] with the name of the Cloud SQL instance and [AUTHORIZED_NETWORKS] with the list of authorized networks in CIDR notation. For example, if you want to restrict access to a single IP address, the command would look like this:
gcloud sql instances patch my-instance --authorized-networks=192.168.0.1/32
Step 5: Verify that the authorized networks have been updated by running the following command:
gcloud sql instances describe [INSTANCE_NAME] | grep authorizedNetworks
This command will display the updated list of authorized networks for the Cloud SQL instance.
Step 6: Repeat the above steps for all the Cloud SQL instances in the project that require remediation.
By following these steps, you can remediate the misconfiguration of “Restrict Authorized Networks on Cloud SQL instances” for GCP using GCP CLI.
To remediate the misconfiguration of unrestricted authorized networks on Cloud SQL instances in GCP using Python, follow these steps:
- Import the required libraries:
from google.cloud import sql_v1beta4
from google.oauth2 import service_account
- Set up the credentials for authentication:
credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_file>')
- Set up the Cloud SQL client:
client = sql_v1beta4.CloudSqlInstancesServiceClient(credentials=credentials)
- Get the instance you want to remediate:
instance_name = '<instance_name>'
project_id = '<project_id>'
instance = client.get(project_id=project_id, instance=instance_name)
- Get the current authorized networks:
current_settings = instance.settings
current_networks = current_settings.ip_configuration.authorized_networks
- Remove any unrestricted authorized networks:
new_networks = [network for network in current_networks if network.value != '0.0.0.0/0']
- Update the instance with the new authorized networks:
new_settings = sql_v1beta4.Settings(ip_configuration=sql_v1beta4.IpConfiguration(authorized_networks=new_networks))
update_mask = sql_v1beta4.field_mask.FieldMask(paths=['settings.ip_configuration.authorized_networks'])
update_request = sql_v1beta4.SqlInstancesUpdateRequest(instance=instance, settings=new_settings, update_mask=update_mask)
client.update(update_request=update_request)
This will remove any unrestricted authorized networks from the Cloud SQL instance’s IP configuration and update the instance with the new settings.