Contained database authentication is enabled Affecting Cloud SQL service in Google

Severity Framework Snyk CCSS

Rule category Data / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Google CSA-CCM HIPAA ISO-27001 SOC-2

Snyk ID SNYK-CC-00358
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Users can connect to a contained database without authenticating at the Database Engine level. Contained databases have some unique security threats mostly related with the USER WITH PASSWORD authentication process, which moves the authentication boundary from the Database Engine level to the database level.

How to fix?

Set settings.database_flags.name attribute to "contained database authentication", and settings.database_flags.value attribute to "off".

Example Configuration

resource "google_sql_database_instance" "allowed" {
  name             = "master-instance"
  database_version = "SQLSERVER_2017_STANDARD"
  region           = "us-central1"

  settings {
    tier = "db-f1-micro"
    database_flags {
      name  = "contained database authentication"
      value = "off"
    }
  }
}

Terraform

Resource: google_sql_database_instance