Databases Should Have SSL

More Info:

Ensures SQL databases have SSL enabled. Enabling SSL ensures that the sensitive data being transferred from the database is encrypted.

Risk Level

High

Address

Security

Compliance Standards

CISGCP, CBP, HITRUST, NISTCSF, SOC2, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Databases Should Have SSL” for GCP using GCP CLI, follow these steps:

Open the Cloud Shell in the GCP Console.
Run the following command to list all the Cloud SQL instances in your project:

gcloud sql instances list

Identify the instance that needs to be remediated and note down its name.
Run the following command to enable SSL for the Cloud SQL instance:

gcloud sql instances patch [INSTANCE_NAME] --require-ssl

Replace [INSTANCE_NAME] with the name of your Cloud SQL instance.

Verify that SSL is enabled for the Cloud SQL instance by running the following command:

gcloud sql instances describe [INSTANCE_NAME] | grep requireSsl

Replace [INSTANCE_NAME] with the name of your Cloud SQL instance.

If the output of the above command shows “requireSsl: true”, then SSL has been successfully enabled for the Cloud SQL instance.
Repeat the above steps for all the Cloud SQL instances in your project that need to have SSL enabled.

By following the above steps, you can remediate the misconfiguration “Databases Should Have SSL” for GCP using GCP CLI.

Using Python

To remediate the misconfiguration of databases not having SSL in GCP using Python, you can follow the below steps:

First, connect to the Cloud SQL instance using the Cloud SQL Admin API and authenticate using the Google Application Default Credentials (ADC).

from google.oauth2 import service_account
from googleapiclient.discovery import build
from googleapiclient.errors import HttpError

# Authenticate using ADC
credentials = service_account.Credentials.from_service_account_file(
    '/path/to/adc.json')

# Connect to Cloud SQL Admin API
service = build('sqladmin', 'v1beta4', credentials=credentials)

Next, retrieve the current instance settings using the instances().get() method.

# Get current instance settings
instance = service.instances().get(project='my-project', instance='my-instance').execute()

Check if SSL is enabled for the instance. If not, enable it using the settings().update() method.

# Check if SSL is enabled
if not instance['settings']['ipConfiguration']['requireSsl']:
    # Enable SSL
    instance['settings']['ipConfiguration']['requireSsl'] = True
    request = service.instances().update(project='my-project', instance='my-instance', body=instance)
    response = request.execute()

Finally, verify that SSL is enabled by checking the requireSsl property of the instance settings.

# Verify SSL is enabled
if instance['settings']['ipConfiguration']['requireSsl']:
    print('SSL is enabled for the instance.')
else:
    print('Failed to enable SSL for the instance.')

By following the above steps, you can remediate the misconfiguration of databases not having SSL in GCP using Python.

Additional Reading:

https://cloud.google.com/sql/docs/mysql/instance-settings

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Databases Should Have SSL

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: