Google SQL Instances With Network Authorization Exposing Them To The Internet

Checks to verify that the SQL instance should not have any authorization to allow network traffic to the internet.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

SQL Instances with network authorization exposing them to the Internet.
JSON Query:
$.resource[*].google_sql_database_instance[*].*[*].settings[*].ip_configuration[*].authorized_networks[*].value anyEqual 0.0.0.0/0 or $.resource[*].google_sql_database_instance[*].*[*].settings[*].ip_configuration[*].authorized_networks[*].value anyEqual ::/0
Recommendation:
Recommended solution to make sure SQL Instances network authorization doesn't expose them to Internet.
Ensure that SQL Instances network authorization doesn't expose them to Internet. Please make sure that any of the values of "authorized_networks" under "ip_configuration" is not "0.0.0.0/0" or "::/0".
For example:
"ip_configuration": [ { "authorized_networks": [ { "expiration_time": "2017-11-15T16:19:00.094Z", "name": "misc", "value": "108.12.12.0/24" }, { "expiration_time": "2017-11-15T16:19:00.094Z", "name": "another", "value": "101.0.0.0/16" } ], "ipv4_enabled": "true" } ]

Run Rule Recommendation

  1. Log in to GCP Console and from Storage, select SQL.
  2. Select the identified SQL instance and select 'Authorization'.
  3. Identify 'Authorized networks' containing 0.0.0.0/0.
  4. Delete that record and Save.

Compliance

There are 11 standards that are applicable to this policy:
  • PIPEDA
  • PCI DSS v3.2
  • NIST CSF
  • ISO 27001:2013
  • GDPR
  • HIPAA
  • CIS v1.0.0 (GCP)
  • SOC 2
  • CSA CCM v3.0.1
  • CCPA 2018
  • NIST 800-53 Rev4

Recommended For You