GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Databases Should Have SSL
More Info:
Ensures SQL databases have SSL enabled. Enabling SSL ensures that the sensitive data being transferred from the database is encrypted.
Risk Level
High
Address
Security
Compliance Standards
CISGCP, CBP, HITRUST, NISTCSF, SOC2, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration “Databases should have SSL” for GCP using GCP console, follow the below steps:
- Open the GCP Console and navigate to the Cloud SQL Instances page.
- Select the instance that you want to configure SSL for.
- Click on the “Edit” button at the top of the page.
- Scroll down to the “SSL” section and click on the “Show Configuration Options” button.
- Select the option “Server-ca.pem” for “Server Certificate” and “Client-cert.pem” for “Client Certificate”.
- Click on the “Save” button to apply the changes.
After following the above steps, SSL will be enabled for the selected instance in GCP.
To remediate the misconfiguration “Databases Should Have SSL” for GCP using GCP CLI, follow these steps:
-
Open the Cloud Shell in the GCP Console.
-
Run the following command to list all the Cloud SQL instances in your project:
gcloud sql instances list
-
Identify the instance that needs to be remediated and note down its name.
-
Run the following command to enable SSL for the Cloud SQL instance:
gcloud sql instances patch [INSTANCE_NAME] --require-ssl
Replace [INSTANCE_NAME] with the name of your Cloud SQL instance.
- Verify that SSL is enabled for the Cloud SQL instance by running the following command:
gcloud sql instances describe [INSTANCE_NAME] | grep requireSsl
Replace [INSTANCE_NAME] with the name of your Cloud SQL instance.
-
If the output of the above command shows “requireSsl: true”, then SSL has been successfully enabled for the Cloud SQL instance.
-
Repeat the above steps for all the Cloud SQL instances in your project that need to have SSL enabled.
By following the above steps, you can remediate the misconfiguration “Databases Should Have SSL” for GCP using GCP CLI.
To remediate the misconfiguration of databases not having SSL in GCP using Python, you can follow the below steps:
- First, connect to the Cloud SQL instance using the Cloud SQL Admin API and authenticate using the Google Application Default Credentials (ADC).
from google.oauth2 import service_account
from googleapiclient.discovery import build
from googleapiclient.errors import HttpError
# Authenticate using ADC
credentials = service_account.Credentials.from_service_account_file(
'/path/to/adc.json')
# Connect to Cloud SQL Admin API
service = build('sqladmin', 'v1beta4', credentials=credentials)
- Next, retrieve the current instance settings using the
instances().get()method.
# Get current instance settings
instance = service.instances().get(project='my-project', instance='my-instance').execute()
- Check if SSL is enabled for the instance. If not, enable it using the
settings().update()method.
# Check if SSL is enabled
if not instance['settings']['ipConfiguration']['requireSsl']:
# Enable SSL
instance['settings']['ipConfiguration']['requireSsl'] = True
request = service.instances().update(project='my-project', instance='my-instance', body=instance)
response = request.execute()
- Finally, verify that SSL is enabled by checking the
requireSslproperty of the instance settings.
# Verify SSL is enabled
if instance['settings']['ipConfiguration']['requireSsl']:
print('SSL is enabled for the instance.')
else:
print('Failed to enable SSL for the instance.')
By following the above steps, you can remediate the misconfiguration of databases not having SSL in GCP using Python.