More Info:

Ensure that Cloud SQL database instances do not have public IPs.

Risk Level

High

Address

Security

Compliance Standards

CISGCP, CBP, GDPR

Triage and Remediation

Remediation

Using Console

Here are the step-by-step instructions to remediate the “Database Instances Should Not Have Public IPs” misconfiguration in GCP using the GCP console:
  1. Open the GCP Console and go to the Cloud SQL Instances page.
  2. Select the instance for which you want to remove the public IP.
  3. Click the Edit button at the top of the page.
  4. In the Connectivity section, click on the “Public IP” dropdown and select “None”.
  5. Click the Save button to apply the changes.
  6. After removing the public IP, make sure to update your application or services to use the private IP address of the instance for database connectivity.
  7. Verify that the public IP has been removed by checking the instance details page. The “Public IP” field should show as “None”.
By following these steps, you have successfully remediated the “Database Instances Should Not Have Public IPs” misconfiguration in GCP.

To remediate the misconfiguration “Database Instances Should Not Have Public IPs” for GCP using GCP CLI, follow these steps:
  1. Open the Cloud Shell from the GCP console.
  2. Run the following command to list all the database instances in your GCP project:
gcloud sql instances list
  1. Identify the instance that has a public IP address.
  2. Run the following command to update the instance’s settings and remove the public IP address:
gcloud sql instances patch [INSTANCE_NAME] --no-assign-ip
Replace [INSTANCE_NAME] with the name of the instance that has a public IP address.
  1. Confirm the changes by running the following command:
gcloud sql instances describe [INSTANCE_NAME]
  1. Verify that the instance no longer has a public IP address in the output.
By following these steps, you have successfully remediated the misconfiguration “Database Instances Should Not Have Public IPs” for GCP using GCP CLI.
To remediate the misconfiguration of having public IPs on database instances in GCP using Python, follow these steps:
  1. Identify the database instances that have public IPs assigned to them.
    • You can use the google-cloud-sdk command gcloud sql instances list to list all the database instances in your project.
    • Then, you can check the ipAddresses field of each instance to see if it has a public IP assigned to it.
  2. Update the network settings of the database instances to remove the public IP.
    • You can use the google-cloud-sdk command gcloud sql instances patch to update the network settings of the instance.
    • Set the authorized-networks parameter to the list of CIDR blocks that are allowed to access the instance.
    • Set the require-ssl parameter to enforce SSL connections to the instance.
  3. Verify that the public IP has been removed from the database instance.
    • You can use the google-cloud-sdk command gcloud sql instances describe to check the network settings of the instance.
    • Verify that the ipAddresses field does not contain a public IP address.
Here’s a sample Python script that performs these steps:
from google.cloud import sql_v1beta4
from google.auth import compute_engine

# Authenticate using the default credentials
credentials = compute_engine.Credentials()

# Create a client to interact with the Cloud SQL API
client = sql_v1beta4.CloudSqlInstancesServiceClient(credentials=credentials)

# List all the database instances in the project
project_id = "my-project"
instances = client.list(project_id=project_id)

# Iterate over the instances and update their network settings
for instance in instances:
    # Check if the instance has a public IP address
    if instance.ip_addresses and instance.ip_addresses[0].ip_address_type == sql_v1beta4.SqlIpAddressType.PUBLIC:
        # Update the instance's network settings to remove the public IP
        update_mask = sql_v1beta4.field_mask.FieldMask(paths=["settings.ipConfiguration.authorizedNetworks", "settings.ipConfiguration.requireSsl"])
        instance.settings.ip_configuration.authorized_networks = []
        instance.settings.ip_configuration.require_ssl = True
        request = sql_v1beta4.SqlInstancesPatchRequest(instance=instance, update_mask=update_mask)
        response = client.patch(request=request)

        # Verify that the public IP has been removed
        updated_instance = client.get(request=sql_v1beta4.SqlInstancesGetRequest(instance=instance.name))
        if updated_instance.ip_addresses and updated_instance.ip_addresses[0].ip_address_type == sql_v1beta4.SqlIpAddressType.PUBLIC:
            print(f"Failed to remove public IP from instance {instance.name}")
        else:
            print(f"Removed public IP from instance {instance.name}")
Note: This script uses the google-cloud-sql library to interact with the Cloud SQL API. You can install it using pip install google-cloud-sql. Also, make sure that the service account used by the script has the necessary permissions to update the network settings of the database instances.