Ensure that "log_connections" database flag is enabled for your Google Cloud PostgreSQL database instances. The "log_connections" flag causes each attempted connection to the database instance to be logged, including successful client authentication requests. Only PostgreSQL database administrators can change this parameter at session start, and it cannot be changed after the session starts.
By default, the PostgreSQL database engine does not log attempted connections. Enabling the "log_connections" flag will create log entries for each attempted connection as well as entries for successful completion of client authentication. The logging data generated by this configuration flag can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance for your Google Cloud PostgreSQL database instances.
Note: Some database flag settings can affect instance availability and/or stability, and eventually remove the PostgreSQL instance from the Google Cloud SQL Service Level Agreement (SLA).
To determine if "log_connections" flag is enabled for your Google Cloud PostgreSQL database instances, perform the following operations:
Remediation / Resolution
To turn on the "log_connections" database flag for your Google Cloud Platform (GCP) PostgreSQL database instances, perform the following operations:
- Google Cloud Platform (GCP) Documentation
- Cloud SQL for PostgreSQL
- Configuring database flags
- Editing instances
- CIS Security Documentation
- Securing Google Cloud Computing Platform
- PostgreSQL Database Documentation
- 19.8. Error Reporting and Logging
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Enable "log_connections" Flag for PostgreSQL Database Instances
Risk level: Medium