More Info:

Ensures that SQL instances are not publicly accessible. Public IP associated with these SQL DB Instances should be removed.

Risk Level

Critical

Address

Security

Compliance Standards

CISGCP, CBP, HITRUST, SOC2, GDPR, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

Sure, here are the step by step instructions to remediate the misconfiguration “DB Instances Should Not Be Publicly Accessible” for GCP using GCP console:
  1. Open the GCP Console and select the project where the misconfiguration exists.
  2. Navigate to the Cloud SQL instances page.
  3. Select the instance that you want to remediate.
  4. Click on the “Edit” button at the top of the page.
  5. Scroll down to the “Public IP” section and select “No” for the “Public IP” option.
  6. Click on the “Save” button at the bottom of the page to apply the changes.
After following these steps, the public IP address of the instance will be removed and the instance will no longer be publicly accessible.

To remediate the misconfiguration of DB Instances being publicly accessible in GCP using GCP CLI, follow the steps below:
  1. Open the Cloud Shell in your GCP console.
  2. Run the following command to list all the Cloud SQL instances in your project:
gcloud sql instances list
  1. Identify the instance that is publicly accessible and note down its instance name.
  2. Run the following command to update the instance’s settings and make it private:
gcloud sql instances patch INSTANCE_NAME --assign-ipReplace INSTANCE_NAME with the name of the instance that you noted down in step 3.
  1. Confirm the changes by running the following command:
gcloud sql instances describe INSTANCE_NAMEReplace INSTANCE_NAME with the name of the instance that you noted down in step 3.
  1. Verify that the “ipConfiguration.authorizedNetworks” field is set to “private” in the output of the above command.
Once you have completed the above steps, the DB instance will no longer be publicly accessible and can only be accessed from authorized networks.
To remediate the misconfiguration “DB Instances Should Not Be Publicly Accessible” for GCP using Python, you can follow the below steps:Step 1: Create a service account with the required permissions to access the Cloud SQL instance.Step 2: Install the Python client library for Cloud SQL using the following command:
pip install google-cloud-sql
Step 3: Use the following Python code to update the instance settings to disable public IP access:
from google.cloud import sql_v1beta4
from google.oauth2 import service_account

# Set the instance name and project ID
instance_name = 'INSTANCE_NAME'
project_id = 'PROJECT_ID'

# Path to the service account key file
key_path = 'PATH_TO_SERVICE_ACCOUNT_KEY_FILE'

# Create credentials object from the key file
credentials = service_account.Credentials.from_service_account_file(
    key_path,
    scopes=["https://www.googleapis.com/auth/cloud-platform"],
)

# Create the Cloud SQL admin client
client = sql_v1beta4.SqlInstancesServiceClient(credentials=credentials)

# Get the current settings for the instance
instance = client.get(project=project_id, instance=instance_name)

# Update the instance settings to disable public IP access
settings = instance.settings
settings.ip_configuration.authorized_networks.clear()
settings.ip_configuration.require_ssl = True
settings.ip_configuration.ipv4_enabled = False
settings.ip_configuration.private_network = 'default'
settings.ip_configuration.require_ssl = True

# Apply the updated settings to the instance
update_mask = sql_v1beta4.field_mask.FieldMask(paths=[
    'settings.ip_configuration.authorized_networks',
    'settings.ip_configuration.ipv4_enabled',
    'settings.ip_configuration.private_network',
    'settings.ip_configuration.require_ssl'
])
operation = client.patch(project=project_id, instance=instance_name, instance=instance, update_mask=update_mask)

# Wait for the operation to complete
operation.result()
Note: Replace INSTANCE_NAME, PROJECT_ID, and PATH_TO_SERVICE_ACCOUNT_KEY_FILE with the appropriate values for your environment.This code will update the Cloud SQL instance settings to disable public IP access and require SSL encryption for all connections.

Additional Reading: