CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00365
- creditSnyk Research Team
Description
SQL database instances supporting plaintext connections are susceptible to man-in-the-middle attacks that can reveal sensitive data like credentials, queries, and datasets. It is therefore recommended to always use SSL encryption for database connections.
How to fix?
For Google provider < v5.0.0, set the require_ssl attribute on settings.ip_configuration to true. For Google provider >= v5.0.0, set ssl_mode on settings.ip_configuration to one of ENCRYPTED_ONLY or TRUSTED_CLIENT_CERTIFICATE_REQUIRED.
Example configuration:
# < v5.0.0
resource "google_sql_database_instance" "allowed" {
name = "db-instance"
database_version = "POSTGRES_11"
region = "us-central1"
settings {
tier = "db-f1-micro"
ip_configuration {
require_ssl = true
}
}
}
# >= v5.0.0
resource "google_sql_database_instance" "allowed" {
name = "db-instance"
database_version = "POSTGRES_11"
region = "us-central1"
settings {
tier = "db-f1-micro"
ip_configuration {
ssl_mode = "ENCRYPTED_ONLY"
}
}
}