Update big_data.tf #619
Update big_data.tf #619
Conversation
![bridgecrew[bot]](https://avatars.githubusercontent.com/in/52968?s=60&v=4){kind=small}
terraform/gcp/big_data.tf
Outdated
| @@ -18,6 +18,26 @@ resource google_sql_database_instance "master_instance" { | |||
| } | |||
| } | |||
|
|
|||
| resource google_sql_database_instance "master_instance2" { | |||
There was a problem hiding this comment.
Ensure Cloud SQL database instances are not publicly accessible
Resource: google_sql_database_instance.master_instance2 | ID: BC_GCP_NETWORKING_4
How to Fix
resource "google_compute_network" "private_network" {
provider = google-beta
name = "private-network"
}
resource "google_compute_global_address" "private_ip_address" {
provider = google-beta
name = "private-ip-address"
purpose = "VPC_PEERING"
address_type = "INTERNAL"
prefix_length = 16
network = google_compute_network.private_network.id
}Description
Cloud SQL is a fully managed relational database service for MySQL, PostgreSQL, and SQL Server. It offers data encryption at rest and in transit, Private connectivity with VPC and user-controlled network access with firewall protection.It is possible to configure Cloud SQL to have a public IPv4 address. This means your cluster can accept connections from specific IP addresses, or a range of addresses, by adding authorized addresses to your instance. We do not recommend this option.
We recommend you ensure Cloud SQL Database Instances are not publicly accessible, to help secure against attackers scanning the internet in search of public databases.
Benchmarks
- NIST-800-53 CA-3
- CIS GCP V1.1 6.5
🎉 Fixed by commit aa8180a - Update terraform/gcp/big_data.tf
terraform/gcp/big_data.tf
Outdated
| @@ -18,6 +18,26 @@ resource google_sql_database_instance "master_instance" { | |||
| } | |||
| } | |||
|
|
|||
| resource google_sql_database_instance "master_instance2" { | |||
There was a problem hiding this comment.
| resource google_sql_database_instance "master_instance2" { | |
| resource google_sql_database_instance "master_instance2" { | |
| } |
Ensure incoming connections to Cloud SQL database instances use SSL
Resource: google_sql_database_instance.master_instance2 | ID: BC_GCP_GENERAL_5
Description
Cloud SQL is a fully managed relational database service for MySQL, PostgreSQL and SQL Server. It offers data encryption at rest and in transit, Private connectivity with VPC and user-controlled network access with firewall protection. Cloud SQL creates a server certificate automatically when a new instance is created.We recommend you enforce all connections to use SSL/TLS.
Benchmarks
- CIS GCP V1.1 6.4
🎉 Fixed by commit aa8180a - Update terraform/gcp/big_data.tf
| } |
There was a problem hiding this comment.
Ensure GCP BigQuery dataset is not publicly accessible
Resource: google_bigquery_dataset.dataset | ID: BC_GCP_GENERAL_7
Description
Dataset-level permissions help determine which users, groups, and service accounts are allowed to access tables, views, and table data in a specific BigQuery dataset. You can configure BigQuery permissions at a higher level in the Cloud IAM resource hierarchy. Your configurations are inherited and based on the IAM structure you select to apply.We recommend you ensure private datasets remain private by avoiding the All Authenticated Users option which gives all Google account holders access to the dataset, and makes the dataset public.
Benchmarks
- NIST-800-53 AC-3
- ISO27001 A.8.2.3, A.14.1.3
🎉 Fixed by commit aa8180a - Update terraform/gcp/big_data.tf
![prisma-cloud-devsecops[bot]](https://avatars.githubusercontent.com/in/135857?s=60&v=4){kind=small}
terraform/gcp/big_data.tf
Outdated
| @@ -18,6 +18,26 @@ resource google_sql_database_instance "master_instance" { | |||
| } | |||
| } | |||
|
|
|||
| resource google_sql_database_instance "master_instance2" { | |||
There was a problem hiding this comment.
Cloud SQL database instances are publicly accessible
Resource: google_sql_database_instance.master_instance2 | ID: BC_GCP_NETWORKING_4
How to Fix
resource "google_compute_network" "private_network" {
provider = google-beta
name = "private-network"
}
resource "google_compute_global_address" "private_ip_address" {
provider = google-beta
name = "private-ip-address"
purpose = "VPC_PEERING"
address_type = "INTERNAL"
prefix_length = 16
network = google_compute_network.private_network.id
}Description
Cloud SQL is a fully managed relational database service for MySQL, PostgreSQL, and SQL Server. It offers data encryption at rest and in transit, Private connectivity with VPC and user-controlled network access with firewall protection.It is possible to configure Cloud SQL to have a public IPv4 address. This means your cluster can accept connections from specific IP addresses, or a range of addresses, by adding authorized addresses to your instance. We do not recommend this option.
We recommend you ensure Cloud SQL Database Instances are not publicly accessible, to help secure against attackers scanning the internet in search of public databases.
Benchmarks
- NIST-800-53 CA-3
- CIS GCP V1.1 6.5
Calculating...
terraform/gcp/big_data.tf
Outdated
| } | ||
| } | ||
| backup_configuration { | ||
| enabled = false |
There was a problem hiding this comment.
| enabled = false | |
| enabled = true |
Cloud SQL database instances do not have backup configuration enabled
Resource: google_sql_database_instance.master_instance2 | ID: BC_GCP_GENERAL_6
Description
Cloud SQL is a fully managed relational database service for MySQL, PostgreSQL and SQL Server. It offers data encryption at rest and in transit, Private connectivity with VPC and user-controlled network access with firewall protection. Backups provide a way to restore a Cloud SQL instance to recover lost data or recover from a problem with your instance.We recommend you enable automated backups for instances that contain data of high importance.
Benchmarks
- ISO27001 A.12.3.1
- CIS GCP V1.1 6.7
Calculating...
| } |
There was a problem hiding this comment.
GCP BigQuery dataset is publicly accessible
Resource: google_bigquery_dataset.dataset | ID: BC_GCP_GENERAL_7
Description
Dataset-level permissions help determine which users, groups, and service accounts are allowed to access tables, views, and table data in a specific BigQuery dataset. You can configure BigQuery permissions at a higher level in the Cloud IAM resource hierarchy. Your configurations are inherited and based on the IAM structure you select to apply.We recommend you ensure private datasets remain private by avoiding the All Authenticated Users option which gives all Google account holders access to the dataset, and makes the dataset public.
Benchmarks
- NIST-800-53 AC-3
- ISO27001 A.8.2.3, A.14.1.3
Calculating...
terraform/gcp/big_data.tf
Outdated
| @@ -18,6 +18,26 @@ resource google_sql_database_instance "master_instance" { | |||
| } | |||
| } | |||
|
|
|||
| resource google_sql_database_instance "master_instance2" { | |||
There was a problem hiding this comment.
Incoming connections to Cloud SQL database instances do not use SSL
Resource: google_sql_database_instance.master_instance2 | ID: BC_GCP_GENERAL_5
Description
Cloud SQL is a fully managed relational database service for MySQL, PostgreSQL and SQL Server. It offers data encryption at rest and in transit, Private connectivity with VPC and user-controlled network access with firewall protection. Cloud SQL creates a server certificate automatically when a new instance is created.We recommend you enforce all connections to use SSL/TLS.
Benchmarks
- CIS GCP V1.1 6.4
Calculating...
Co-authored-by: bridgecrew[bot] <60663194+bridgecrew[bot]@users.noreply.github.com>
No description provided.