DB Instances Should Not Be Publicly Accessible
More Info:
Ensures that SQL instances are not publicly accessible. Public IP associated with these SQL DB Instances should be removed.Risk Level
CriticalAddress
SecurityCompliance Standards
CISGCP, CBP, HITRUST, SOC2, GDPR, NISTCSF, PCIDSS, FedRAMPTriage and Remediation
Remediation
Using Console
Using Console
Sure, here are the step by step instructions to remediate the misconfiguration “DB Instances Should Not Be Publicly Accessible” for GCP using GCP console:
- Open the GCP Console and select the project where the misconfiguration exists.
- Navigate to the Cloud SQL instances page.
- Select the instance that you want to remediate.
- Click on the “Edit” button at the top of the page.
- Scroll down to the “Public IP” section and select “No” for the “Public IP” option.
- Click on the “Save” button at the bottom of the page to apply the changes.
Using CLI
Using CLI
To remediate the misconfiguration of DB Instances being publicly accessible in GCP using GCP CLI, follow the steps below:
- Open the Cloud Shell in your GCP console.
- Run the following command to list all the Cloud SQL instances in your project:
gcloud sql instances list- Identify the instance that is publicly accessible and note down its instance name.
- Run the following command to update the instance’s settings and make it private:
gcloud sql instances patch INSTANCE_NAME --assign-ipReplace INSTANCE_NAME with the name of the instance that you noted down in step 3.- Confirm the changes by running the following command:
gcloud sql instances describe INSTANCE_NAMEReplace INSTANCE_NAME with the name of the instance that you noted down in step 3.- Verify that the “ipConfiguration.authorizedNetworks” field is set to “private” in the output of the above command.
Using Python
Using Python
To remediate the misconfiguration “DB Instances Should Not Be Publicly Accessible” for GCP using Python, you can follow the below steps:Step 1: Create a service account with the required permissions to access the Cloud SQL instance.Step 2: Install the Python client library for Cloud SQL using the following command:Step 3: Use the following Python code to update the instance settings to disable public IP access:Note: Replace
INSTANCE_NAME, PROJECT_ID, and PATH_TO_SERVICE_ACCOUNT_KEY_FILE with the appropriate values for your environment.This code will update the Cloud SQL instance settings to disable public IP access and require SSL encryption for all connections.