Google SQL Instances Do Not Have SSL Configured

Checks to verify that the SSL configuration for the SQL instance is valid with an unexpired SSL certificate. Cloud SQL supports connecting to an instance using the Secure Socket Layer (SSL) protocol. If you are not connecting to an instance by using Cloud SQL Proxy, you should use SSL, so that the data you send and receive from Google Cloud SQL is secure.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

SQL Instances do not have SSL configured.
JSON Query:
$.resource[*].google_sql_database_instance exists and $.resource[*].google_sql_ssl_cert !exists
Recommendation:
Recommended solution to configure SSL for SQL Instances.
Ensure that SSL is configured for GCP SQL Instances. Please make sure "google_sql_ssl_cert" exists in the your template.
For example:
{ "google_sql_ssl_cert": [ { "client_cert": [ { "common_name": "client-name", "instance": "google_sql_database_instance.master.name" } ] } ] }

Run Rule Recommendation

  1. Log in to GCP Console and from Storage, select SQL.
  2. Select the identified SQL instance and select 'SSL' tab.
  3. Review and verify that the SSL certificate is valid with a future expiry date.
  4. To renew / update the SSL certificate, follow the steps from the following link:.

Compliance

There are 12 standards that are applicable to this policy:
  • NIST CSF
  • ISO 27001:2013
  • HITRUST CSF v9.3
  • PCI DSS v3.2
  • GDPR
  • HIPAA
  • CSA CCM v3.0.1
  • CIS v1.0.0 (GCP)
  • SOC 2
  • PIPEDA
  • CCPA 2018
  • NIST 800-53 Rev4

Recommended For You