Best practice rules for GCP Cloud SQL
- Allow SSL/TLS Connections Only
Ensure that Cloud SQL database instances require SSL/TLS for incoming connections.
- Check for Cloud SQL Database Instances with Public IPs
Ensure that Cloud SQL database instances don't have public IP addresses assigned.
- Check for Idle Cloud SQL Database Instances
Identify idle Cloud SQL database instances and stop them in order to optimize your cloud costs.
- Check for MySQL Major Version
Ensure that MySQL database servers are using the latest major version of MySQL database.
- Check for PostgreSQL Major Version
Ensure that PostgreSQL database servers are using the latest major version of PostgreSQL database.
- Check for Publicly Accessible Cloud SQL Database Instances
Ensure that your Google Cloud SQL database instances are configured to accept connections from trusted networks and IP addresses only.
- Configure "log_error_verbosity" Flag for PostgreSQL Instances
Ensure that PostgreSQL database instances have the appropriate configuration set for the "log_error_verbosity" flag.
- Configure "log_min_error_statement" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have the appropriate configuration set for the "log_min_error_statement" flag.
- Configure "log_min_messages" Flag for PostgreSQL Instances
Ensure that PostgreSQL database instances have the appropriate configuration set for the "log_min_messages" flag.
- Configure "log_statement" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have the appropriate configuration set for the "log_statement" flag.
- Configure "max_connections" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have the appropriate configuration set for the "max_connections" flag.
- Configure 'user connections' Flag for SQL Server Database Instances
Ensure that SQL Server database instances have the appropriate configuration set for the "user connections" flag.
- Configure Automatic Storage Increase Limit
Ensure there is an automatic storage increase limit configured for your Cloud SQL database instances.
- Configure Root Password for MySQL Database Access
Ensure that MySQL databases can't be accessed with administrative privileges only (i.e. without using passwords).
- Detect GCP Cloud SQL Configuration Changes
Cloud SQL configuration changes have been detected within your Google Cloud Platform (GCP) account.
- Disable "Contained Database Authentication" Flag for SQL Server Database Instances
Ensure that SQL Server database instances have "contained database authentication" flag set to Off.
- Disable "Cross DB Ownership Chaining" Flag for SQL Server Database Instances
Ensure that SQL Server database instances have "cross db ownership chaining" flag set to Off.
- Disable "local_infile" Flag for MySQL Database Instances
Ensure that MySQL database instances have the "local_infile" flag set to Off (disabled).
- Disable "log_min_duration_statement" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have "log_min_duration_statement" flag set to -1 (Off).
- Disable "log_planner_stats" Flag for PostgreSQL Database Instances
Ensure that the "log_planner_stats" PostgreSQL database flag is set to "off".
- Disable '3625' Trace Flag for SQL Server Database Instances
Ensure that the "3625" trace flag for SQL database servers is set to "off".
- Disable 'external scripts enabled' Flag for SQL Server Database Instances
Ensure that the "external scripts enabled" SQL Server flag is set to "off".
- Disable 'log_executor_stats' Flag for PostgreSQL Database Instances
Ensure that the "log_executor_stats" PostgreSQL database flag is set to "off".
- Disable 'log_parser_stats' Flag for PostgreSQL Database Instances
Ensure that the "log_parser_stats" PostgreSQL database flag is set to "off".
- Disable 'log_statement_stats' Flag for PostgreSQL Database Instances
Ensure that the "log_statement_stats" PostgreSQL database flag is set to "off".
- Disable 'remote access' Flag for SQL Server Database Instances
Ensure that the "remote access" SQL Server flag is set to "off".
- Disable 'user options' Flag for SQL Server Instances
Ensure that the "user options" SQL Server flag is not configured.
- Enable "log_checkpoints" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have "log_checkpoints" flag set to On.
- Enable "log_checkpoints" Flag for PostgreSQL Database Server Configuration
Ensure that "log_checkpoints" flag is enabled within your PostgreSQL database servers configuration.
- Enable "log_connections" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have the "log_connections" configuration flag set to On.
- Enable "log_disconnections" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have the "log_disconnections" flag set to On (enabled).
- Enable "log_lock_waits" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have the "log_lock_waits" flag set to On.
- Enable "log_temp_files" Flag for PostgreSQL Database Instances
Ensure that PostgreSQL database instances have the "log_temp_files" flag set to 0 (On).
- Enable "skip_show_database" Flag for MySQL Database Instances
Ensure that the "skip_show_database" MySQL database flag is set to "on".
- Enable "slow_query_log" Flag for MySQL Database Servers
Ensure that MySQL database instances have the "slow_query_log" flag set to On (enabled).
- Enable 'cloudsql.enable_pgaudit' and 'pgaudit.log' Flags for PostgreSQL Database Instances
Ensure that the "cloudsql.enable_pgaudit" PostgreSQL database flag is set to "on" and that "pgaudit.log" is configured appropriately.
- Enable 'log_hostname' Flag for PostgreSQL Database Instances
Ensure that the "log_hostname" PostgreSQL database flag is set to "on".
- Enable Automated Backups for Cloud SQL Database Instances
Ensure that Cloud SQL database instances are configured with automated backups.
- Enable Automatic Storage Increase
Ensure that automatic storage increase is enabled for your Cloud SQL database instances.
- Enable Cloud SQL Instance Encryption with Customer-Managed Keys
Ensure that Cloud SQL instances are encrypted with Customer-Managed Keys (CMKs).
- Enable High Availability for Cloud SQL Database Instances
Ensure that production SQL database instances are configured to automatically fail over to another zone within the selected cloud region.
- Enable Point-in-Time Recovery for MySQL Database Instances
Ensure that your MySQL database instances have Point-in-Time Recovery feature enabled.
- Enable SSL/TLS for Cloud SQL Incoming Connections
Ensure that Cloud SQL database instances require all incoming connections to use SSL/TLS.
- Rotate Server Certificates for Cloud SQL Database Instances
Ensure that Cloud SQL server certificates are rotated (renewed) before their expiration.