GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
DB Instances Should Not Be Publicly Accessible
More Info:
Ensures that SQL instances are not publicly accessible. Public IP associated with these SQL DB Instances should be removed.
Risk Level
Critical
Address
Security
Compliance Standards
CISGCP, CBP, HITRUST, SOC2, GDPR, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
Sure, here are the step by step instructions to remediate the misconfiguration “DB Instances Should Not Be Publicly Accessible” for GCP using GCP console:
- Open the GCP Console and select the project where the misconfiguration exists.
- Navigate to the Cloud SQL instances page.
- Select the instance that you want to remediate.
- Click on the “Edit” button at the top of the page.
- Scroll down to the “Public IP” section and select “No” for the “Public IP” option.
- Click on the “Save” button at the bottom of the page to apply the changes.
After following these steps, the public IP address of the instance will be removed and the instance will no longer be publicly accessible.
To remediate the misconfiguration of DB Instances being publicly accessible in GCP using GCP CLI, follow the steps below:
-
Open the Cloud Shell in your GCP console.
-
Run the following command to list all the Cloud SQL instances in your project:
gcloud sql instances list
-
Identify the instance that is publicly accessible and note down its instance name.
-
Run the following command to update the instance’s settings and make it private:
gcloud sql instances patch INSTANCE_NAME --assign-ip
Replace INSTANCE_NAME with the name of the instance that you noted down in step 3.
- Confirm the changes by running the following command:
gcloud sql instances describe INSTANCE_NAME
Replace INSTANCE_NAME with the name of the instance that you noted down in step 3.
- Verify that the “ipConfiguration.authorizedNetworks” field is set to “private” in the output of the above command.
Once you have completed the above steps, the DB instance will no longer be publicly accessible and can only be accessed from authorized networks.
To remediate the misconfiguration “DB Instances Should Not Be Publicly Accessible” for GCP using Python, you can follow the below steps:
Step 1: Create a service account with the required permissions to access the Cloud SQL instance.
Step 2: Install the Python client library for Cloud SQL using the following command:
pip install google-cloud-sql
Step 3: Use the following Python code to update the instance settings to disable public IP access:
from google.cloud import sql_v1beta4
from google.oauth2 import service_account
# Set the instance name and project ID
instance_name = 'INSTANCE_NAME'
project_id = 'PROJECT_ID'
# Path to the service account key file
key_path = 'PATH_TO_SERVICE_ACCOUNT_KEY_FILE'
# Create credentials object from the key file
credentials = service_account.Credentials.from_service_account_file(
key_path,
scopes=["https://www.googleapis.com/auth/cloud-platform"],
)
# Create the Cloud SQL admin client
client = sql_v1beta4.SqlInstancesServiceClient(credentials=credentials)
# Get the current settings for the instance
instance = client.get(project=project_id, instance=instance_name)
# Update the instance settings to disable public IP access
settings = instance.settings
settings.ip_configuration.authorized_networks.clear()
settings.ip_configuration.require_ssl = True
settings.ip_configuration.ipv4_enabled = False
settings.ip_configuration.private_network = 'default'
settings.ip_configuration.require_ssl = True
# Apply the updated settings to the instance
update_mask = sql_v1beta4.field_mask.FieldMask(paths=[
'settings.ip_configuration.authorized_networks',
'settings.ip_configuration.ipv4_enabled',
'settings.ip_configuration.private_network',
'settings.ip_configuration.require_ssl'
])
operation = client.patch(project=project_id, instance=instance_name, instance=instance, update_mask=update_mask)
# Wait for the operation to complete
operation.result()
Note: Replace INSTANCE_NAME, PROJECT_ID, and PATH_TO_SERVICE_ACCOUNT_KEY_FILE with the appropriate values for your environment.
This code will update the Cloud SQL instance settings to disable public IP access and require SSL encryption for all connections.