Restrict Public IP Access for Cloud SQL Instances at Organization Level

​

More Info:

Ensure that “Restrict Public IP access on Cloud SQL instances” policy is enforced for your Google Cloud organizations. Due to strict security and compliance regulations, you can’t allow GCP members to configure security-critical database instances with public IPs.

​

Risk Level

Medium

​

Address

Security, Operational Maturity

​

Compliance Standards

CISGCP, CBP

​

Remediation

​

Using Console

To remediate the misconfiguration of Restricting Public IP Access for Cloud SQL Instances at Organization Level in GCP, follow these steps:

1. Open the GCP console and select the organization that you want to remediate the misconfiguration for.

2. Go to the Cloud SQL Instances page by clicking on the hamburger menu on the top left corner of the console and selecting SQL under the Storage section.

3. Click on the instance that you want to remediate the misconfiguration for.

4. Click on the Edit button at the top of the instance details page.

5. Scroll down to the Connectivity section and click on the Private IP button.

6. Under the Private IP section, select the checkbox for “Enable Private IP” to allow the instance to be accessed only through private IP addresses.

7. Click on the Save button at the bottom of the page to apply the changes.

8. Repeat steps 3-7 for all the Cloud SQL instances in the organization to ensure that they are only accessible through private IP addresses.

By following these steps, you have successfully remediated the misconfiguration of Restricting Public IP Access for Cloud SQL Instances at Organization Level in GCP.

​

Using CLI

To remediate the misconfiguration of allowing public IP access for Cloud SQL instances at the organization level in GCP using GCP CLI, you can follow these steps:

1. Open the Cloud Shell in the GCP console.

2. Run the following command to check if any Cloud SQL instances have public IP addresses:

   gcloud sql instances list
   

3. If any instances have public IP addresses, note down their names.

4. Run the following command to update the instances to not allow public IP access:

   gcloud sql instances patch INSTANCE_NAME --no-assign-ip
   

   Replace INSTANCE_NAME with the name of the instance that you want to update.

5. Repeat step 4 for all instances that have public IP addresses.

6. Verify that the instances no longer have public IP addresses by running the following command:

   gcloud sql instances describe INSTANCE_NAME | grep ipAddress
   

   Replace INSTANCE_NAME with the name of the instance that you want to verify.

   If the output shows ipAddress: <unset>, then the instance no longer has a public IP address.

7. Repeat step 6 for all instances that you updated.

By following these steps, you can remediate the misconfiguration of allowing public IP access for Cloud SQL instances at the organization level in GCP using GCP CLI.

​

Using Python

To remediate the misconfiguration of Restricting Public IP Access for Cloud SQL Instances at the organization level in GCP using Python, you can follow the below steps:

1. First, you need to identify all the Cloud SQL instances that have public IP access enabled in your organization. You can use the Google Cloud SDK to list all the instances with public IP access enabled using the following command:

   gcloud sql instances list --filter "settings.ipConfiguration.authorizedNetworks.cidrBlock='0.0.0.0/0'"
   

2. Once you have identified the instances that have public IP access enabled, you need to update their network configuration to restrict public IP access. You can use the Google Cloud Python SDK to update the network configuration of the instances using the following code:

   from google.cloud import sql_v1beta4
   from google.protobuf.field_mask_pb2 import FieldMask
   
   client = sql_v1beta4.CloudSqlInstancesServiceClient()
   
   instance_name = "projects/{project_id}/instances/{instance_id}".format(
       project_id="your-project-id", instance_id="your-instance-id"
   )
   
   instance = client.get_instance(name=instance_name)
   
   # Update the authorized networks to restrict public IP access
   instance.settings.ip_configuration.authorized_networks = []
   
   # Update the instance with the new network configuration
   update_mask = FieldMask(paths=["settings.ip_configuration.authorized_networks"])
   updated_instance = client.update_instance(instance=instance, update_mask=update_mask)
   

3. You can run the above code for all the instances that have public IP access enabled to update their network configuration and restrict public IP access.

By following the above steps, you can remediate the misconfiguration of Restricting Public IP Access for Cloud SQL Instances at the organization level in GCP using Python.