Public IP Access for Cloud SQL Instances Not Restricted
ID: gcloud-org-sql-public-ip
Severity: medium
Author: princechaddha
Tags: cloud,devops,gcp,gcloud,resourcemanager,security,sql,networking,gcp-cloud-config
Description
Section titled “Description”Ensure that “Restrict Public IP access on Cloud SQL instances” policy is enforced for your Google Cloud organizations. Due to strict security and compliance regulations, you can’t allow GCP members to configure security-critical database instances with public IPs. For highly sensitive workloads, the access to the SQL database instances can be made only through private IP addresses or Google Cloud SQL Proxy.
YAML Source
Section titled “YAML Source”id: gcloud-org-sql-public-ip
info: name: Public IP Access for Cloud SQL Instances Not Restricted author: princechaddha severity: medium description: | Ensure that "Restrict Public IP access on Cloud SQL instances" policy is enforced for your Google Cloud organizations. Due to strict security and compliance regulations, you can't allow GCP members to configure security-critical database instances with public IPs. For highly sensitive workloads, the access to the SQL database instances can be made only through private IP addresses or Google Cloud SQL Proxy. impact: | Without restricting public IP access, Cloud SQL instances can be configured with public IP addresses, potentially exposing sensitive databases to unauthorized access from the internet. remediation: | Enable the "Restrict Public IP access on Cloud SQL instances" policy at the organization level using the 'gcloud alpha resource-manager org-policies enable-enforce' command with the sql.restrictPublicIp constraint. reference: - https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ResourceManager/restrict-public-ip-access-at-organization-level.html - https://cloud.google.com/sql/docs/mysql/configure-ip tags: cloud,devops,gcp,gcloud,resourcemanager,security,sql,networking,gcp-cloud-config
flow: | code(1) for(let orgId of iterate(template.orgIds)){ set("orgId", orgId) code(2) }
self-contained: true
code: - engine: - sh - bash source: | gcloud organizations list --format="json(name)"
extractors: - type: json name: orgIds internal: true json: - '.[].name'
- engine: - sh - bash source: | gcloud alpha resource-manager org-policies describe sql.restrictPublicIp --organization=$orgId --effective --format="json(booleanPolicy)"
matchers: - type: word words: - "{}"
extractors: - type: dsl dsl: - '"Organization " + orgId + " has not restricted public IP access for Cloud SQL instances, allowing databases to be exposed to the internet"'# digest: 4a0a00473045022100e31b9dc72c70e436527c709a13375971850e241a9e7fd28f42d639c75e0e122c02206969dd47000b1b8a3aaeb844818ebec000e013aa7ef98b5aa42bc8df94c24b72:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/gcp/resourcemanager/gcloud-org-sql-public-ip.yaml"