GCP SQL
Overview
Critical
2High
3Medium
30Low
3Informational
0Security issues (38)
| Severity | Non-Compliance | Resource | Issue | Remediation | Read more | Action |
|---|---|---|---|---|---|---|
| Medium | CIS 6.1.1 | my-sql-instance | SQL database instance can be accessed by the root user from any host. | To ensure secure access, limit root access to SQL instances to allowed IPs only. | More info | |
| Medium | — | my-sql-instance | SQL database instance is publicly accessible from all IP addresses. | To fulfill HIPAA and PCI DSS requirements on strict access and integrity controls, ensure that all SQL instances are configured to accept connections from trusted networks and IP addresses only. | More info | |
| Medium | HIPAA (Backup) | my-sql-instance | SQL database instance has no backup run, and so it can not be restored to a recent point. | To fulfill HIPAA requirements on restoring compromised services, ensure that all SQL instances are configured to have automated (scheduled) backups and can be restored to a recent point. | More info | |
| Medium | CIS 6.7 | my-sql-instance | SQL database instance does not have an automated backup enabled. | Ensure that automated backups are enabled for all SQL database instances. | More info | |
| Medium | — | my-sql-instance | SQL database instance does not have multi-AZ enabled. | Ensure that all SQL instances are created with a secondary AZ to ensure proper failover. | More info | |
| Medium | CIS 6.4 PCI DSS 4.2 HIPAA (Encryption) | my-sql-instance | SQL database instance has SSL/TLS disabled. | To fulfill HIPAA and PCI DSS requirements on strong cryptographic and security protocols for transmitting user data, enforce all incoming connections to your SQL database instances to use SSL/TLS only. | More info | |
| Medium | CIS 6.1.3 | my-sql-instance | MySQL database instance has "local_infile" flag enabled. | To follow best practices on data security, ensure all your MySQL database instances have the "local_infile" flag disabled. | More info | |
| Medium | — | my-sql-instance | MySQL database instance has "slow_query_log" flag disabled. | To simplify the task of finding inefficient or time-consuming SQL queries, ensure all your MySQL database instances have the "slow_query_log" flag enabled. | More info | |
| Medium | CIS 6.6 | my-sql-instance | SQL database instance has public IPs. | To reduce the application's attack surface, ensure your SQL database instances are configured to use private IP addresses instead of public IPs. | More info | |
| Low | — | my-sql-instance | SQL database instance has automatic storage increase limit set zero (no limit for storage growth). | To prevent your SQL instance disk size from growing too large and increase service costs, ensure your SQL database instances are configured with an optimal automatic storage increase limit. | More info | |
| High | PCI DSS 3.5 HIPAA (Encryption) | my-sql-instance | SQL database instance is not encrypted using Customer-Managed Keys (CMK). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, make sure your SQL database instances are encrypted using CMK. | More info | |
| Medium | — | my-sql-instance3 | SQL database instance is publicly accessible from all IP addresses. | To fulfill HIPAA and PCI DSS requirements on strict access and integrity controls, ensure that all SQL instances are configured to accept connections from trusted networks and IP addresses only. | More info | |
| Medium | HIPAA (Backup) | my-sql-instance3 | SQL database instance has no backup run, and so it can not be restored to a recent point. | To fulfill HIPAA requirements on restoring compromised services, ensure that all SQL instances are configured to have automated (scheduled) backups and can be restored to a recent point. | More info | |
| Medium | CIS 6.7 | my-sql-instance3 | SQL database instance does not have an automated backup enabled. | Ensure that automated backups are enabled for all SQL database instances. | More info | |
| Medium | — | my-sql-instance3 | SQL database instance does not have multi-AZ enabled. | Ensure that all SQL instances are created with a secondary AZ to ensure proper failover. | More info | |
| Medium | CIS 6.4 PCI DSS 4.2 HIPAA (Encryption) | my-sql-instance3 | SQL database instance has SSL/TLS disabled. | To fulfill HIPAA and PCI DSS requirements on strong cryptographic and security protocols for transmitting user data, enforce all incoming connections to your SQL database instances to use SSL/TLS only. | More info | |
| Medium | — | my-sql-instance3 | PostgreSQL database instance has "log_checkpoints" flag disabled. | To allow checkpoints and restart points to be logged, ensure all your PostgreSQL database instances have the "log_checkpoints" flag enabled. | More info | |
| Medium | CIS 6.2.2 | my-sql-instance3 | PostgreSQL database instance has "log_connections" flag disabled. | To ensure each attempted connection to the database instance to be logged, ensure all your PostgreSQL database instances have the "log_connections" flag enabled. | More info | |
| Medium | CIS 6.2.3 | my-sql-instance3 | PostgreSQL database instance has "log_disconnections" flag disabled. | To ensure the database logs the end of each session, ensure all your PostgreSQL database instances have the "log_disconnections" flag enabled. | More info | |
| Medium | — | my-sql-instance3 | PostgreSQL database instance has "log_lock_waits" flag disabled. | To diagnose poor performance due to locking delays and identify underlying security and performance issues, ensure all your PostgreSQL database instances have the "log_lock_waits" flag enabled. | More info | |
| Medium | CIS 6.2.8 | my-sql-instance3 | PostgreSQL database instance has "log_min_duration_statement" flag enabled. | To avoid logging statements with sensitive information, ensure all your PostgreSQL database instances have the "log_min_duration_statement" flag set to -1 (i.e. disabled). | More info | |
| Medium | CIS 6.2.7 | my-sql-instance3 | PostgreSQL database instance does not have "log_min_error_statement" flag set to Error. | As the best practice setting, ensure all your PostgreSQL database instances have the "log_min_error_statement" flag (the minimum message severity level considered an error statement) to be set to Error (or stricter). | More info | |
| Medium | — | my-sql-instance3 | PostgreSQL database instance has "log_temp_files" flag disabled. | To diagnose potential performance issues that can be created by poor programming practices, ensure all your PostgreSQL database instances have the "log_temp_files" flag set to 0 (enabled). | More info | |
| Critical | — | my-sql-instance3 | SQL database instance SSL certificate has expired 34 days ago. | Ensure that all incoming connections to your SQL database instances remain secure by rotating all the server certificates before they expire. | More info | |
| Medium | CIS 6.6 | my-sql-instance3 | SQL database instance has public IPs. | To reduce the application's attack surface, ensure your SQL database instances are configured to use private IP addresses instead of public IPs. | More info | |
| Low | — | my-sql-instance3 | SQL database instance has automatic storage increase limit set zero (no limit for storage growth). | To prevent your SQL instance disk size from growing too large and increase service costs, ensure your SQL database instances are configured with an optimal automatic storage increase limit. | More info | |
| High | PCI DSS 3.5 HIPAA (Encryption) | my-sql-instance3 | SQL database instance is not encrypted using Customer-Managed Keys (CMK). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, make sure your SQL database instances are encrypted using CMK. | More info | |
| Medium | — | my-sql-instance4 | SQL database instance is publicly accessible from all IP addresses. | To fulfill HIPAA and PCI DSS requirements on strict access and integrity controls, ensure that all SQL instances are configured to accept connections from trusted networks and IP addresses only. | More info | |
| Medium | HIPAA (Backup) | my-sql-instance4 | SQL database instance has no backup run, and so it can not be restored to a recent point. | To fulfill HIPAA requirements on restoring compromised services, ensure that all SQL instances are configured to have automated (scheduled) backups and can be restored to a recent point. | More info | |
| Medium | CIS 6.7 | my-sql-instance4 | SQL database instance does not have an automated backup enabled. | Ensure that automated backups are enabled for all SQL database instances. | More info | |
| Medium | — | my-sql-instance4 | SQL database instance does not have multi-AZ enabled. | Ensure that all SQL instances are created with a secondary AZ to ensure proper failover. | More info | |
| Medium | CIS 6.4 PCI DSS 4.2 HIPAA (Encryption) | my-sql-instance4 | SQL database instance has SSL/TLS disabled. | To fulfill HIPAA and PCI DSS requirements on strong cryptographic and security protocols for transmitting user data, enforce all incoming connections to your SQL database instances to use SSL/TLS only. | More info | |
| Medium | CIS 6.3.7 | my-sql-instance4 | SQL server database instance has "contained database authentication" flag enabled. | To prevent any databases on the server from being contained, ensure the "contained database authentication" SQL Server engine flag is set to Off. | More info | |
| Medium | CIS 6.3.2 | my-sql-instance4 | SQL server database instance has "cross db ownership chaining" flag enabled. | Unless all of the databases hosted by the SQL Server need to participate in cross-database ownership chaining, ensure the "cross db ownership chaining" SQL Server engine flag is disabled. | More info | |
| Critical | — | my-sql-instance4 | SQL database instance SSL certificate has expired 34 days ago. | Ensure that all incoming connections to your SQL database instances remain secure by rotating all the server certificates before they expire. | More info | |
| Medium | CIS 6.6 | my-sql-instance4 | SQL database instance has public IPs. | To reduce the application's attack surface, ensure your SQL database instances are configured to use private IP addresses instead of public IPs. | More info | |
| Low | — | my-sql-instance4 | SQL database instance has automatic storage increase limit set zero (no limit for storage growth). | To prevent your SQL instance disk size from growing too large and increase service costs, ensure your SQL database instances are configured with an optimal automatic storage increase limit. | More info | |
| High | PCI DSS 3.5 HIPAA (Encryption) | my-sql-instance4 | SQL database instance is not encrypted using Customer-Managed Keys (CMK). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, make sure your SQL database instances are encrypted using CMK. | More info |
Instances (4)
| Instance | Location | Status | Type | IP address | Connection name | Security issues |
|---|---|---|---|---|---|---|
| my-sql-instance | us-central1-f | Runnable | MySQL 5.7 | — | sylvan-surf-339107:us-central1:my-sql-instance | 1 High + 10 others (details) |
| my-sql-instance2 | us-central1-f | Runnable | MySQL 5.7 | — | sylvan-surf-339107:us-central1:my-sql-instance | — |
| my-sql-instance3 | us-central1-f | Runnable | PostgreSQL 13 | — | sylvan-surf-339107:us-central1:my-sql-instance | 1 Critical + 15 others (details) |
| my-sql-instance4 | us-central1-f | Runnable | SQL Server 13 | — | sylvan-surf-339107:us-central1:my-sql-instance | 1 Critical + 10 others (details) |
Users (1)
| User | Instance | Host | Security issues |
|---|---|---|---|
| root | my-sql-instance | % | — |
Backup Runs (4)
| Instance | Location | Description | Status | Type | Backup type | Created | Security issues |
|---|---|---|---|---|---|---|---|
| 1644865200000 | us | — | Successful | Automated | Snapshot | — | |
| 1644778800000 | us | — | Successful | Automated | Snapshot | — | |
| 1644692400000 | us | — | Successful | Automated | Snapshot | — | |
| 1644615790710 | us-central1 | Taking a backup after instance creation | Successful | On demand | Snapshot | — |