Severity Framework
Snyk CCSS
Rule category
Data / Encryption in Transit
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-Controls
CIS-Google
CSA-CCM
GDPR
HIPAA
ISO-27001
NIST-800-53
PCI-DSS
SOC-2
- Snyk ID SNYK-CC-00365
- credit Snyk Research Team
Description
SQL database instances supporting plaintext connections are susceptible to man-in-the-middle attacks that can reveal sensitive data like credentials, queries, and datasets. It is therefore recommended to always use SSL encryption for database connections.
How to fix?
For Google provider < v5.0.0, set the require_ssl attribute on settings.ip_configuration to true. For Google provider >= v5.0.0, set ssl_mode on settings.ip_configuration to one of ENCRYPTED_ONLY or TRUSTED_CLIENT_CERTIFICATE_REQUIRED.
Example Configuration
# < v5.0.0
resource "google_sql_database_instance" "allowed" {
name = "db-instance"
database_version = "POSTGRES_11"
region = "us-central1"
settings {
tier = "db-f1-micro"
ip_configuration {
require_ssl = true
}
}
}
# >= v5.0.0
resource "google_sql_database_instance" "allowed" {
name = "db-instance"
database_version = "POSTGRES_11"
region = "us-central1"
settings {
tier = "db-f1-micro"
ip_configuration {
ssl_mode = "ENCRYPTED_ONLY"
}
}
}