Ensure that Google Cloud VPC network firewall rules do not allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 3306 in order to reduce the exposure to security risks and protect the virtual machine (VM) instances targeted by the firewall rules. TCP port 3306 is used by the MySQL Database Server, a popular open-source relational database management system (RDBMS).
Allowing unrestricted ingress access on TCP port 3306 (MySQL Database Server) through VPC network firewall rules can increase opportunities for malicious activities such as brute-force or bypass authentication attacks, and SQL injection attacks. VPC firewall rules should be configured so that access to specific resources is restricted to just those hosts or networks that have a legitimate requirement for access.
Audit
To determine if your Google Cloud VPC firewall rules allow unrestricted access on TCP port 3306, perform the following actions:
Remediation / Resolution
To update your VPC network firewall rules configuration in order to restrict MySQL Database Server access to trusted entities only (i.e. authorized IP addresses or IP ranges), perform the following actions:
References
- Google Cloud Platform (GCP) Documentation
- VPC network overview
- Using VPC networks
- VPC firewall rules overview
- Using firewall rules
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud compute networks list
- gcloud compute firewall-rules list
- gcloud compute firewall-rules update
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Check for Unrestricted MySQL Database Access
Risk Level: High