SQL Database instances should only allow ingress traffic from specific IP addresses

Docs > Datadog Security > OOTB Rules > SQL Database instances should only allow ingress traffic from specific IP addresses

Description:

A database server should accept connections only from trusted networks and IPs and restrict access from public IP addresses.

Rationale:

To minimize attack surface on a database server instance, only trusted, known, and required IPs should be allowed to connect to it. An authorized network should not have IPs or networks configured to 0.0.0.0/0 which allows access to the instance from anywhere in the world. Authorized networks apply only to instances with public IPs.

Impact:

The Cloud SQL database instance would not be available to public IP addresses.

Remediation:

From the console

Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.
Click the instance name to open its Instance details page.
Under the Configuration section click Edit configurations.
Under Configuration options expand the Connectivity section.
Click the delete icon for the authorized network 0.0.0.0/0.
Click Save to update the instance.

From the command line

Update the authorized network list by removing addresses:

gcloud sql instances patch <INSTANCE_NAME> --authorized-networks=IP_ADDR1,IP_ADDR2...

Prevention:

To prevent new SQL instances from being configured to accept incoming connections from any IP addresses, set up a Restrict Authorized Networks on Cloud SQL instances Organization Policy at: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks.

Default value:

By default, authorized networks are not configured. Remote connection to Cloud SQL database instance is not possible unless authorized networks are configured.

References:

Additional information:

There is no IPv6 configuration found for Google cloud SQL server services.