Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable SSL/TLS for Cloud SQL Incoming Connections

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CloudSQL-004

Enforce all incoming connections to your Cloud SQL database instances to use SSL/TLS only. If the SSL/TLS protocol is not enforced for all Cloud SQL connections, clients without a valid certificate are allowed to connect to the database.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

When Cloud SQL database connections are subjected to Man-in-the-Middle (MITM) attacks (also known as hijack attacks), the compromised database can reveal sensitive data such as user credentials, database queries and query outputs. To ensure that your data is encrypted in transit, it is strongly recommended that you enforce using the SSL/TLS protocol for all incoming connections to your Cloud SQL database instances, especially if these are using public IPs.


Audit

To determine if your Cloud SQL database instances requires all incoming connections to use SSL/TLS, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud SQL Instances dashboard at https://console.cloud.google.com/sql/instances.

04 Click on the name (ID) of the database instance that you want to examine.

05 In the navigation panel, select Connections to access the connectivity configuration details available for the selected instance.

06 In the SSL section, under SSL connections, check the configuration status of the SSL Connections feature. If the feature status is set to "Unsecured connections are allowed to connect to this instance.", the selected Cloud SQL database instance is not configured to require all incoming connections to use SSL/TLS.

07 Repeat step no. 4 – 6 to check the feature status for other Cloud SQL instances available within the selected project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project identifiers:

PROJECT_ID
cc-ms-web-project-123123
cc-mobile-project-123123

03 Run sql instances list command (Windows/macOS/Linux) to describe the name of each Cloud SQL database instance provisioned for the selected Google Cloud project:

gcloud sql instances list
	--project cc-ms-web-project-123123
	--format="(NAME)"

04 The command output should return the requested database instance name(s):

NAME
cc-web-sql-server-instance
cc-app-sql-server-instance

05 Run sql instances describe command (Windows/macOS/Linux) using the name of the Cloud SQL database instance that you want to examine as identifier parameter and custom query filters to describe the SSL Connections feature configuration status set for the selected database instance:

gcloud sql instances describe cc-web-sql-server-instance
	--format="table(settings.ipConfiguration.requireSsl)"

06 The command output should return the requested configuration status (true for enabled, false for disabled):

REQUIRE_SSL
False

If the sql instances describe command output returns false for the REQUIRE_SSL configuration attribute, the selected Cloud SQL database instance is not configured to enforce the SSL/TLS protocol for all the incoming connections.

07 Repeat step no. 5 and 6 to check the SSL Connections feature status for other Cloud SQL instances created for the selected project.

08 Repeat steps no. 3 – 7 for each project available within your Google Cloud account.

Remediation / Resolution

To configure your Cloud SQL database instances to enforce SSL/TLS for all incoming connections, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud SQL Instances dashboard at https://console.cloud.google.com/sql/instances.

04 Click on the name/ID of the database instance that you want to reconfigure.

05 In the navigation panel, select Connections to access the connectivity configuration details available for the selected instance.

06 In the SSL section, under SSL connections, click Allow only SSL connections to allow only secured connections to connect to the selected Cloud SQL database instance. Cloud SQL service creates an SSL server certificate automatically when you create your Cloud SQL database instance. As long as the server certificate is valid, you don't have to actively manage this certificate.
Note: Enabling SSL-only connections requires the instance to be restarted. Ensure you make the necessary preparations for sensitive workloads.

07 Once the SSL/TLS protocol is enforced for all incoming connections, if the selected database instance is using a public IP address, you need to add the IP addresses of your Cloud SQL client(s) as authorized network(s) by performing the following operations:

  1. In the Connections section, under Public IP, click Add network button to configure a new authorized network for the selected instance.
  2. On the New network panel, in the Network box, enter the IP address or IP address range you want to allow connections from. The authorized IP address/IP range must use the CIDR format (e.g. 10.50.51.3/32 or 10.50.51.0/24). Optionally, enter a name for the new entry in the Name box. Click Done to close the configuration panel. If necessary, repeat this step to configure new authorized networks.
  3. Click Save to apply the changes.

08 Repeat step no. 4 – 7 to enforce SSL/TLS connections for other Cloud SQL database instances available within the selected project.

09 Repeat steps no. 2 – 8 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run sql instances patch command (Windows/macOS/Linux) using the name of the Cloud SQL database instance that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource), to enforce SSL/TLS for all the incoming requests made to the selected database instance:

gcloud sql instances patch cc-web-sql-server-instance
	--require-ssl

02 The output should return the sql instances patch command request status:

The following message will be used for the patch API method.
{"name": "cc-web-sql-server-instance", "project": "cc-ms-web-project-123123", "settings": {"ipConfiguration": {"requireSsl": true}}}
Patching Cloud SQL instance...done.
Updated [https://sqladmin.googleapis.com/sql/v1beta4/projects/cc-ms-web-project-123123/instances/cc-web-sql-server-instance].

03 If the reconfigured database instance is using a public IP address, you need to add the IP addresses of your Cloud SQL client(s) as authorized network(s). To configure authorized networks, run sql instances patch command (Windows/macOS/Linux) using the trusted IP address/IP address range you want to allow connections from, as value of the --authorized-networks configuration parameter (CIDR format). IMPORTANT: When adding new IP addresses/ranges to the authorized networks, make sure to also include any IP addresses/ranges that have been already authorized, otherwise, the existing ones will be overwritten and de-authorized:

gcloud sql instances patch cc-web-sql-server-instance
	--authorized-networks="xxx.xxx.xxx.xxx/24"

04 Type Y to confirm the instance configuration change:

The following message will be used for the patch API method.
When adding a new IP address to authorized networks, make sure to also include any IP addresses that have already been authorized. Otherwise, they will be overwritten and de-authorized.
Do you want to continue (Y/n)? Y

05 The output should return the sql instances patch command request status:

The following message will be used for the patch API method.
{"name": "cc-web-sql-server-instance", "project": "cc-ms-web-project-123123", "settings": {"ipConfiguration": {"authorizedNetworks": [{"value": "xxx.xxx.xxx.xxx/24"}]}}}
Patching Cloud SQL instance...done.
Updated [https://sqladmin.googleapis.com/sql/v1beta4/projects/cc-ms-web-project-123123/instances/cc-web-sql-server-instance].

06 Repeat step no. 1 – 5 to enforce SSL/TLS connections for other Cloud SQL database instances provisioned for the selected project.

07 Repeat steps no. 1 – 6 for each project created within your Google Cloud account.

References

Publication date Apr 12, 2021

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable SSL/TLS for Cloud SQL Incoming Connections

Risk Level: Medium