More Info:

Ensures SQL databases have SSL enabled. Enabling SSL ensures that the sensitive data being transferred from the database is encrypted.

Risk Level

High

Address

Security

Compliance Standards

CISGCP, CBP, HITRUST, NISTCSF, SOC2, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Databases should have SSL” for GCP using GCP console, follow the below steps:
  1. Open the GCP Console and navigate to the Cloud SQL Instances page.
  2. Select the instance that you want to configure SSL for.
  3. Click on the “Edit” button at the top of the page.
  4. Scroll down to the “SSL” section and click on the “Show Configuration Options” button.
  5. Select the option “Server-ca.pem” for “Server Certificate” and “Client-cert.pem” for “Client Certificate”.
  6. Click on the “Save” button to apply the changes.
After following the above steps, SSL will be enabled for the selected instance in GCP.

To remediate the misconfiguration “Databases Should Have SSL” for GCP using GCP CLI, follow these steps:
  1. Open the Cloud Shell in the GCP Console.
  2. Run the following command to list all the Cloud SQL instances in your project: 
gcloud sql instances list
  1. Identify the instance that needs to be remediated and note down its name.
  2. Run the following command to enable SSL for the Cloud SQL instance: 
gcloud sql instances patch [INSTANCE_NAME] --require-ssl
Replace [INSTANCE_NAME] with the name of your Cloud SQL instance.
  1. Verify that SSL is enabled for the Cloud SQL instance by running the following command:
gcloud sql instances describe [INSTANCE_NAME] | grep requireSsl
Replace [INSTANCE_NAME] with the name of your Cloud SQL instance.
  1. If the output of the above command shows “requireSsl: true”, then SSL has been successfully enabled for the Cloud SQL instance.
  2. Repeat the above steps for all the Cloud SQL instances in your project that need to have SSL enabled.
By following the above steps, you can remediate the misconfiguration “Databases Should Have SSL” for GCP using GCP CLI.
To remediate the misconfiguration of databases not having SSL in GCP using Python, you can follow the below steps:
  1. First, connect to the Cloud SQL instance using the Cloud SQL Admin API and authenticate using the Google Application Default Credentials (ADC).
from google.oauth2 import service_account
from googleapiclient.discovery import build
from googleapiclient.errors import HttpError

# Authenticate using ADC
credentials = service_account.Credentials.from_service_account_file(
    '/path/to/adc.json')

# Connect to Cloud SQL Admin API
service = build('sqladmin', 'v1beta4', credentials=credentials)
  1. Next, retrieve the current instance settings using the instances().get() method.
# Get current instance settings
instance = service.instances().get(project='my-project', instance='my-instance').execute()
  1. Check if SSL is enabled for the instance. If not, enable it using the settings().update() method.
# Check if SSL is enabled
if not instance['settings']['ipConfiguration']['requireSsl']:
    # Enable SSL
    instance['settings']['ipConfiguration']['requireSsl'] = True
    request = service.instances().update(project='my-project', instance='my-instance', body=instance)
    response = request.execute()
  1. Finally, verify that SSL is enabled by checking the requireSsl property of the instance settings.
# Verify SSL is enabled
if instance['settings']['ipConfiguration']['requireSsl']:
    print('SSL is enabled for the instance.')
else:
    print('Failed to enable SSL for the instance.')
By following the above steps, you can remediate the misconfiguration of databases not having SSL in GCP using Python.

Additional Reading: