6.6 Ensure That Cloud SQL Database Instances Do Not Have Public IPs

Information

It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs.

Rationale:

To lower the organization's attack surface, Cloud SQL databases should not have public IPs. Private IPs provide improved network security and lower latency for your application.

Impact:

Removing the public IP address on SQL instances may break some applications that relied on it for database connectivity.

Solution

From Google Cloud Console

Go to the Cloud SQL Instances page in the Google Cloud Console: https://console.cloud.google.com/sql/instances

Click the instance name to open its Instance details page.

Select the Connections tab.

Deselect the Public IP checkbox.

Click Save to update the instance.

From Google Cloud CLI

For every instance remove its public IP and assign a private IP instead:

gcloud sql instances patch <INSTANCE_NAME> --network=<VPC_NETWORK_NAME> --no-assign-ip

Confirm the changes using the following command::

gcloud sql instances describe <INSTANCE_NAME>

Prevention:
To prevent new SQL instances from getting configured with public IP addresses, set up a Restrict Public IP access on Cloud SQL instances Organization policy at: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp.

Default Value:

By default, Cloud Sql instances have a public IP.

See Also

https://workbench.cisecurity.org/benchmarks/11843

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: GCP

Control ID: 88292a277b14b3a3df5e49f1f114305fa4229140fe367293db9f2c7dd2cc7dc2