SQL DB Instance Publicly Accessible
- Query id: 7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b
- Query name: SQL DB Instance Publicly Accessible
- Platform: Ansible
- Severity: Critical
- Category: Insecure Configurations
- CWE: 732
- URL: Github
Description¶
Cloud SQL instances should not be publicly accessible.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: sql_instance
google.cloud.gcp_sql_instance:
auth_kind: serviceaccount
name: "{{ resource_name }}-2"
project: test_project
region: us-central1
service_account_file: /tmp/auth.pem
settings:
ip_configuration:
authorized_networks:
- name: "google dns server"
value: "0.0.0.0"
tier: db-n1-standard-1
state: present
- name: sql_instance2
google.cloud.gcp_sql_instance:
auth_kind: serviceaccount
name: "{{ resource_name }}-2"
project: test_project
region: us-central1
service_account_file: /tmp/auth.pem
settings:
ip_configuration:
ipv4_enabled: yes
tier: db-n1-standard-1
state: present
- name: sql_instance3
google.cloud.gcp_sql_instance:
auth_kind: serviceaccount
name: "{{ resource_name }}-2"
project: test_project
region: us-central1
service_account_file: /tmp/auth.pem
settings:
tier: db-n1-standard-1
state: present
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: sql_instance
google.cloud.gcp_sql_instance:
auth_kind: serviceaccount
name: '{{ resource_name }}-2'
project: test_project
region: us-central1
service_account_file: /tmp/auth.pem
settings:
ip_configuration:
authorized_networks:
- name: google dns server
value: 8.8.8.8/32
tier: db-n1-standard-1
state: present