GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Restrict Public IP Access for Cloud SQL Instances at Organization Level
More Info:
Ensure that “Restrict Public IP access on Cloud SQL instances” policy is enforced for your Google Cloud organizations. Due to strict security and compliance regulations, you can’t allow GCP members to configure security-critical database instances with public IPs.
Risk Level
Medium
Address
Security, Operational Maturity
Compliance Standards
CISGCP, CBP
Triage and Remediation
Remediation
To remediate the misconfiguration of Restricting Public IP Access for Cloud SQL Instances at Organization Level in GCP, follow these steps:
-
Open the GCP console and select the organization that you want to remediate the misconfiguration for.
-
Go to the Cloud SQL Instances page by clicking on the hamburger menu on the top left corner of the console and selecting SQL under the Storage section.
-
Click on the instance that you want to remediate the misconfiguration for.
-
Click on the Edit button at the top of the instance details page.
-
Scroll down to the Connectivity section and click on the Private IP button.
-
Under the Private IP section, select the checkbox for “Enable Private IP” to allow the instance to be accessed only through private IP addresses.
-
Click on the Save button at the bottom of the page to apply the changes.
-
Repeat steps 3-7 for all the Cloud SQL instances in the organization to ensure that they are only accessible through private IP addresses.
By following these steps, you have successfully remediated the misconfiguration of Restricting Public IP Access for Cloud SQL Instances at Organization Level in GCP.
To remediate the misconfiguration of allowing public IP access for Cloud SQL instances at the organization level in GCP using GCP CLI, you can follow these steps:
-
Open the Cloud Shell in the GCP console.
-
Run the following command to check if any Cloud SQL instances have public IP addresses:
gcloud sql instances list -
If any instances have public IP addresses, note down their names.
-
Run the following command to update the instances to not allow public IP access:
gcloud sql instances patch INSTANCE_NAME --no-assign-ipReplace INSTANCE_NAME with the name of the instance that you want to update.
-
Repeat step 4 for all instances that have public IP addresses.
-
Verify that the instances no longer have public IP addresses by running the following command:
gcloud sql instances describe INSTANCE_NAME | grep ipAddressReplace INSTANCE_NAME with the name of the instance that you want to verify.
If the output shows
ipAddress: <unset>, then the instance no longer has a public IP address. -
Repeat step 6 for all instances that you updated.
By following these steps, you can remediate the misconfiguration of allowing public IP access for Cloud SQL instances at the organization level in GCP using GCP CLI.
To remediate the misconfiguration of Restricting Public IP Access for Cloud SQL Instances at the organization level in GCP using Python, you can follow the below steps:
-
First, you need to identify all the Cloud SQL instances that have public IP access enabled in your organization. You can use the Google Cloud SDK to list all the instances with public IP access enabled using the following command:
gcloud sql instances list --filter "settings.ipConfiguration.authorizedNetworks.cidrBlock='0.0.0.0/0'" -
Once you have identified the instances that have public IP access enabled, you need to update their network configuration to restrict public IP access. You can use the Google Cloud Python SDK to update the network configuration of the instances using the following code:
from google.cloud import sql_v1beta4 from google.protobuf.field_mask_pb2 import FieldMask client = sql_v1beta4.CloudSqlInstancesServiceClient() instance_name = "projects/{project_id}/instances/{instance_id}".format( project_id="your-project-id", instance_id="your-instance-id" ) instance = client.get_instance(name=instance_name) # Update the authorized networks to restrict public IP access instance.settings.ip_configuration.authorized_networks = [] # Update the instance with the new network configuration update_mask = FieldMask(paths=["settings.ip_configuration.authorized_networks"]) updated_instance = client.update_instance(instance=instance, update_mask=update_mask) -
You can run the above code for all the instances that have public IP access enabled to update their network configuration and restrict public IP access.
By following the above steps, you can remediate the misconfiguration of Restricting Public IP Access for Cloud SQL Instances at the organization level in GCP using Python.