PostgreSQL log connections disabled
This product is not supported for your selected
Datadog site. (
).
Id: d7a5616f-0a3f-4d43-bc2b-29d1a183e317
Cloud Provider: GCP
Platform: Ansible
Severity: Medium
Category: Observability
Learn More
Description
PostgreSQL Cloud SQL instances must have the log_connections flag set to on so connection events are recorded for auditing and to help detect suspicious or unauthorized access. For Ansible resources using google.cloud.gcp_sql_instance or gcp_sql_instance, the settings.databaseFlags property must include an entry with name: log_connections and value: on. Resources missing settings or settings.databaseFlags, or where log_connections is absent or set to off, are flagged.
Secure Ansible example:
- name: Create PostgreSQL Cloud SQL instance with connection logging enabled
google.cloud.gcp_sql_instance:
name: my-postgres-instance
database_version: POSTGRES_13
settings:
tier: db-custom-1-3840
databaseFlags:
- name: log_connections
value: "on"
Compliant Code Examples
- name: create a instance
google.cloud.gcp_sql_instance:
name: GCP instance
settings:
databaseFlags:
- name: log_connections
value: on
tier: db-n1-standard-1
region: us-central1
project: test_project
database_version: POSTGRES_9_6
auth_kind: serviceaccount
service_account_file: /tmp/auth.pem
state: present
Non-Compliant Code Examples
- name: create instance
google.cloud.gcp_sql_instance:
name: GCP instance
settings:
databaseFlags:
- name: log_connections
value: off
tier: db-n1-standard-1
region: us-central1
project: test_project
database_version: POSTGRES_9_6
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
- name: create another instance
google.cloud.gcp_sql_instance:
name: GCP instance 2
settings:
tier: db-n1-standard-1
region: us-central1
project: test_project
database_version: POSTGRES_9_6
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
