SQL database instances should enforce SSL for all incoming connections
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
It is recommended to enforce all incoming connections to SQL database instances to use SSL.
Rationale
SQL database connections, if successfully trapped (MITM), can reveal sensitive data like
credentials, database queries, query outputs, and so on. For security, it is recommended to always
use SSL encryption when connecting to your instance. This recommendation is applicable
to PostgreSQL, MySQL generation 1, MySQL generation 2, and SQL Server 2017 instances.
By default, Settings: ipConfiguration
has no authorizedNetworks
set or configured. In
that case, even if requireSSL
is not set by default, which is equivalent to requireSSL:false
,
there is no risk as the instance cannot be accessed outside of the network, unless
authorizedNetworks
is configured. However, if the default for requireSSL
is not updated to
true
, any authorizedNetworks
created later on will not enforce SSL-only connections.
Impact
After enforcing SSL connections, the existing client will not be able to communicate with the SQL
server, unless it is configured with appropriate client-certificates to communicate to the SQL
database instance.
Default Value
By default, the parameter settings: ipConfiguration: requireSSL
is not set, which is
equivalent to requireSSL:false
.
From the console
- Go to the Cloud SQL Instances page.
- Click on an instance name to see its configuration overview.
- In the left-side panel, select Connections.
- In the SSL connections section, click Allow only SSL connections.
- Under Configure SSL server certificates, click Create new certificate.
- Under Configure SSL client certificates, click Create a client certificate.
- Follow the instructions shown to learn how to connect to your instance.
From the command line
To enforce SSL encryption for an instance, run the command:
gcloud sql instances patch <INSTANCE_NAME> --require-ssl
Note: A restart is required for type MySQL Generation 1 Instances (backendType: FIRST_GEN
) for
this configuration to go into effect.
References
- http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/