Aqua CSPM

DB Publicly Accessible

Quick Info

Plugin TitleDB Publicly Accessible
CloudGOOGLE
CategorySQL
DescriptionEnsures that SQL instances do not allow public access
More InfoUnless there is a specific business requirement, SQL instances should not have a public endpoint and should only be accessed from within a VPC.
GOOGLE Linkhttps://cloud.google.com/sql/docs/mysql/authorize-networks
Recommended ActionEnsure that SQL instances are configured to prohibit traffic from the public 0.0.0.0 global IP address.

Detailed Remediation Steps

  1. Log in to the Google Cloud Platform Console.
  2. Scroll down the left navigation panel and choose the “SQL” option under the “Storage.”
  3. On the “SQL” page , click on the “Instance ID” as a link option to select the “SQL” instance.
  4. On the “SQL” page, click on the “Replicas” under the “MASTER INSTANCE."
  5. On the “Replicas” page, check is there any “Relica” is there or not. Creating SQL instances in with a single AZ creates a single point of failure for all systems
  6. Repeat steps number 2 - 5 to check other SQL instance in the account.
  7. Navigate to the “SQL” option under the “Storage”, choose the “SQL Instance”.
  8. Click on the “Replicas” from the left panel and click on the “Create read replica” button at the bottom.
  9. On the “Create read replica”, click on the checkbox next to “Automate backups”, “Enable binary logging” and click on the “Continue” button.
  10. Once you click on the “Continue” button, “Changes require restart” tab will open and click on the “SAVE AND RESTART” option.
  11. Click on the “Create” button to make the changes.
  12. Repeat steps number 7 - 11 to ensure all SQL instances should be created in multiple AZs to ensure proper failover.