More Info:

Ensures automated backups are enabled for SQL instances. Google provides a simple method of backing up SQL instances at a regular interval. This should be enabled to provide an option for restoring data in the event of a database compromise or hardware failure.

Risk Level

Medium

Address

Security, Reliability, Operational Maturity

Compliance Standards

SOC2, CISGCP, CBP, HITRUST, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Automated Backups Should Be Enabled” in GCP using GCP console, please follow the below steps:
  1. Login to your GCP console.
  2. Select the project for which you want to enable automated backups.
  3. Go to the left-hand side menu and select the “SQL” option under the “Storage” section.
  4. Select the instance for which you want to enable automated backups.
  5. Click on the “Edit” button at the top of the page.
  6. Scroll down to the “Backup” section.
  7. In the “Backup configuration” subsection, select the “Enable automatic backups” checkbox.
  8. Set the desired backup start time and frequency.
  9. Set the desired retention period for the backups.
  10. Click on the “Save” button at the bottom of the page to save the changes.
Once you have followed these steps, automated backups will be enabled for your GCP instance and you will be able to ensure that your data is protected in case of any unexpected events.

To remediate the misconfiguration “Automated Backups Should Be Enabled” in GCP using GCP CLI, you can follow the below steps:
  1. Open the command prompt or terminal and authenticate to your GCP account using the following command:
gcloud auth login
  1. Once you are authenticated, set the project that you want to remediate the misconfiguration for using the following command:
gcloud config set project [PROJECT_ID]
  1. Check the current status of automated backups for the GCP instance using the following command:
gcloud sql instances describe [INSTANCE_NAME] --format="value(settings.backupConfiguration.enabled)"
  1. If the output of the above command is “False”, then automated backups are not enabled for the instance. To enable automated backups, run the following command:
gcloud sql instances patch [INSTANCE_NAME] --backup-start-time [HH:MM] --enable-bin-log --backup-location [LOCATION] --backup-retention-period [DAYS] --backup-config-start-time [HH:MM] --backup-config-retain-period [DAYS]
Replace the following placeholders with appropriate values:
  • [INSTANCE_NAME]: Name of the GCP instance that you want to remediate the misconfiguration for.
  • [HH:MM]: Time of day in 24-hour format when you want to start the automated backup.
  • [LOCATION]: Location where you want to store the backups.
  • [DAYS]: Number of days that you want to retain the backups.
For example:
gcloud sql instances patch my-instance --backup-start-time 03:00 --enable-bin-log --backup-location us-central1 --backup-retention-period 7 --backup-config-start-time 03:00 --backup-config-retain-period 7
  1. After running the above command, automated backups will be enabled for the GCP instance. You can verify the status of automated backups using the following command:
gcloud sql instances describe [INSTANCE_NAME] --format="value(settings.backupConfiguration.enabled)"
That’s it! You have successfully remediated the misconfiguration “Automated Backups Should Be Enabled” for GCP using GCP CLI.
To remediate the misconfiguration “Automated Backups Should Be Enabled” in GCP using Python, you can follow the below steps:
  1. Import the necessary libraries:
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials
  1. Authenticate and create a client object:
credentials = GoogleCredentials.get_application_default()
service = discovery.build('sqladmin', 'v1beta4', credentials=credentials)
  1. Get the list of all instances:
instances = service.instances().list(project='project-id', filter='').execute()
  1. Loop through each instance and check if automated backups are enabled:
for instance in instances['items']:
    instance_name = instance['name']
    backup_configuration = instance['settings']['backupConfiguration']
    if not backup_configuration['enabled']:
        # Enable automated backups
        backup_configuration['enabled'] = True
        request = service.instances().update(project='project-id', instance=instance_name, body={'settings': {'backupConfiguration': backup_configuration}})
        response = request.execute()
        print(f"Automated backups enabled for instance {instance_name}")
    else:
        print(f"Automated backups already enabled for instance {instance_name}")
  1. Replace the project-id with your actual project ID and run the script.
This will enable automated backups for all the instances in the specified GCP project.

Additional Reading: