SSL is not enabled on CloudSQL instance Affecting Cloud SQL service in Google

Severity Framework Snyk CCSS

Rule category Data / Encryption in Transit

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CIS-Google CSA-CCM GDPR HIPAA ISO-27001 NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00365
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

SQL database instances supporting plaintext connections are susceptible to man-in-the-middle attacks that can reveal sensitive data like credentials, queries, and datasets. It is therefore recommended to always use SSL encryption for database connections.

How to fix?

For Google provider < v5.0.0, set the require_ssl attribute on settings.ip_configuration to true. For Google provider >= v5.0.0, set ssl_mode on settings.ip_configuration to ENCRYPTED_ONLY.

Example Configuration

# < v5.0.0
resource "google_sql_database_instance" "allowed" {
  name             = "db-instance"
  database_version = "POSTGRES_11"
  region           = "us-central1"

  settings {
    tier = "db-f1-micro"
    ip_configuration {
      require_ssl = true
    }
  }
}


# >= v5.0.0
resource "google_sql_database_instance" "allowed" {
  name             = "db-instance"
  database_version = "POSTGRES_11"
  region           = "us-central1"

  settings {
    tier = "db-f1-micro"
    ip_configuration {
      ssl_mode = "ENCRYPTED_ONLY"
    }
  }
}

Terraform

Resource: google_sql_database_instance