More Info:

Ensure that the contained database authentication database flag for Cloud SQL on the SQL Server instance is set to off.

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP, CBP

Triage and Remediation

Remediation

Using Console

To remediate the “Database Authentication Flag Should Be Disabled” misconfiguration for GCP using GCP console, follow these steps:
  1. Open the Google Cloud Console and navigate to the Cloud SQL instances page.
  2. Select the instance you want to remediate.
  3. Click on the Edit button at the top of the page.
  4. Scroll down to the “Authorization” section.
  5. In the “Authorized networks” section, click on the “Add network” button.
  6. Add your IP address or the IP address range that should be authorized to access the instance.
  7. In the “Database flags” section, click on the “Add database flag” button.
  8. Add the flag “skip_grant_tables” and set its value to “on”.
  9. Click on the “Save” button to save the changes.
By following these steps, you have disabled the database authentication flag and added the authorized network to access the instance.

To remediate the “Database Authentication Flag Should Be Disabled” misconfiguration in GCP using GCP CLI, you can follow the below steps:
  1. Open the Cloud Shell in your GCP console.
  2. Run the following command to check the current status of the database authentication flag: 
    gcloud sql instances describe [INSTANCE_NAME] --format="get(settings.authorizedNetworks)"
    Replace [INSTANCE_NAME] with the name of your SQL instance.
  3. If the output of the above command contains “requireSsl: true”, it means that the database authentication flag is enabled and needs to be disabled.
  4. Run the following command to disable the database authentication flag: 
    gcloud sql instances patch [INSTANCE_NAME] --clear settings.requireSsl
    Replace [INSTANCE_NAME] with the name of your SQL instance.
  5. Confirm the change by running the following command: 
    gcloud sql instances describe [INSTANCE_NAME] --format="get(settings.requireSsl)"
    The output should be “False”, indicating that the database authentication flag has been successfully disabled.
  6. Verify that the change has been applied by checking the authorized networks again: 
    gcloud sql instances describe [INSTANCE_NAME] --format="get(settings.authorizedNetworks)"
    The output should not contain “requireSsl: true” anymore.
By following these steps, you should be able to remediate the “Database Authentication Flag Should Be Disabled” misconfiguration in GCP using GCP CLI.
To remediate the misconfiguration “Database Authentication Flag Should be Disabled” in GCP using python, follow the below steps:Step 1: Install the necessary libraries
pip install google-auth google-auth-oauthlib google-auth-httplib2 google-cloud-secret-manager
Step 2: Authenticate to GCP
from google.oauth2 import service_account
from google.cloud import secretmanager

# Replace [PROJECT_ID] with your GCP project ID
project_id = '[PROJECT_ID]'

# Replace [SECRET_NAME] with the name of the secret containing the database authentication flag
secret_name = '[SECRET_NAME]'

# Replace [VERSION] with the version of the secret containing the database authentication flag
version = '[VERSION]'

# Authenticate to GCP using a service account
credentials = service_account.Credentials.from_service_account_file('path/to/service/account/key.json')

# Create a Secret Manager client
client = secretmanager.SecretManagerServiceClient(credentials=credentials)

# Access the secret containing the database authentication flag
name = f"projects/{project_id}/secrets/{secret_name}/versions/{version}"
response = client.access_secret_version(name=name)

# Get the value of the database authentication flag
database_auth_flag = response.payload.data.decode('UTF-8')
Step 3: Remediate the misconfiguration
from google.cloud import secretmanager

# Replace [PROJECT_ID] with your GCP project ID
project_id = '[PROJECT_ID]'

# Replace [SECRET_NAME] with the name of the secret containing the database authentication flag
secret_name = '[SECRET_NAME]'

# Replace [VERSION] with the version of the secret containing the database authentication flag
version = '[VERSION]'

# Replace [DATABASE_AUTH_FLAG_VALUE] with the desired value of the database authentication flag (0 or 1)
database_auth_flag_value = '0'

# Create a Secret Manager client
client = secretmanager.SecretManagerServiceClient()

# Access the secret containing the database authentication flag
name = f"projects/{project_id}/secrets/{secret_name}/versions/{version}"
response = client.access_secret_version(name=name)

# Update the value of the database authentication flag
payload = response.payload
payload.data = database_auth_flag_value.encode('UTF-8')
response = client.update_secret_version(name=name, payload=payload, update_mask={'paths': ['data']})
Note: This code assumes that the database authentication flag is stored in GCP Secret Manager. If the flag is stored elsewhere, such as in a configuration file or environment variable, the code will need to be modified accordingly.