Cloud SQL Public Exposure

Description

Cloud SQL instances with public IPs and permissive authorized networks are reachable from the internet, enabling brute‑force and exploit attempts. Weak authentication (static DB users/passwords), missing SSL enforcement, public/shared backups, and unencrypted storage create additional risk and persistence.

Examples

Inspect Connectivity

gcloud sql instances describe <name> --format='value(ipAddresses.address,settings.ipConfiguration.requireSsl)'
gcloud sql instances describe <name> --format='value(settings.ipConfiguration.ipv4Enabled,settings.ipConfiguration.authorizedNetworks)'

Attempt external connection to confirm reachability.

Check CMEK and backup settings

gcloud sql instances describe <name> --format='value(diskEncryptionConfiguration.kmsKeyName,settings.backupConfiguration.enabled)'

Remediation

1. Prefer private IP and restrict networks
   • Disable public IPs; use Private Service Connect/VPC peering; if public IP is required, restrict authorized networks tightly.
2. Enforce strong auth and TLS
   • Require SSL; use IAM database authentication where available; rotate static credentials; enable Cloud SQL Proxy/Connector.
3. Protect data at rest and in backups
   • Use CMEK where supported; enable automated backups and PITR; avoid public/shared backups; enforce retention.