Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Detect GCP Cloud SQL Configuration Changes

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Low (generally tolerable risk)
Rule ID: CloudSQL-029

Trend Micro Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected Cloud SQL configuration changes made in your GCP account.
Cloud SQL is a fully managed database service compatible with MySQL, PostgreSQL, or SQL Server database engines, that enables you to create, maintain, manage, and administer your relational databases on Google Cloud Platform (GCP).
As a security best practice, you need to be aware of all configuration changes made at the Cloud SQL service level, changes such as creating or updating SQL database instances.
Cloud SQL writes audit logs to help you find who configured your SQL database resources, where and when. Trend Micro Cloud One™ – Conformity RTMA uses the audit information collected by Google Cloud to process and send notifications about the configurations changes performed at the Cloud SQL level.
The activity detected by the Conformity RTMA feature could be, for example, a user action initiated through the Google Cloud Console or an API request initiated programmatically using gcloud CLI, that triggers any of the SQL operational events listed below:

  • "cloudsql.instances.create" - Creates a new SQL database instance.
  • "cloudsql.instances.update" - Updates settings of a Cloud SQL database instance by merging the request with the current configuration.
  • "cloudsql.instances.failover" - Performs a manual failover of a primary instance to a standby instance, which becomes the primary instance, then reroutes the clients to the new primary instance.
  • "cloudsql.instances.resetSslConfig" - Deletes all client certificates and generates a new SSL certificate for the SQL database instance.

To maintain service availability, protect against unauthorized access, and prevent unexpected charges on your GCP bill, Trend Micro Cloud One™ – Conformity strongly recommends that you avoid as much as possible to provide GCP users (except database administrators) the permission to perform Cloud SQL configuration changes within your GCP account.
The communication channels for sending RTMA notifications can be quickly configured in your Conformity account. The list of supported communication channels that you can use to receive notification alerts for Cloud SQL configuration changes are SMS, Email, Slack, PagerDuty, ServiceNow, and Zendesk.

This rule resolution is part of the Conformity solution.

Security

A high visibility into Cloud SQL activity is a key aspect of security and operational best practices that helps you secure the access to your SQL databases in Google Cloud. Therefore, monitoring your GCP account for SQL operations such as "cloudsql.instances.create", "cloudsql.instances.update", "cloudsql.instances.failover", and "cloudsql.instances.resetSslConfig", can provide valuable insight into the configuration changes made at the Cloud SQL service level and can help you reduce the time it takes to detect suspicious activity.

References

Publication date Dec 14, 2022

Related CloudSQL rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Detect GCP Cloud SQL Configuration Changes

Risk Level: Low