Terraforming Insecure SQL Database#46
Conversation
![datadog-datadog-prod-us1[bot]](https://avatars.githubusercontent.com/u/365230?s=60&v=4){kind=small}
| resource "google_sql_database_instance" "sql_database_instance" { | ||
| name = var.name | ||
| database_version = var.database_version | ||
| region = var.region | ||
| settings { | ||
| tier = var.tier | ||
|
|
||
| dynamic "backup_configuration" { | ||
| for_each = var.backup_enabled != null || var.backup_start_time != null ? [1] : [] | ||
| content { | ||
| enabled = var.backup_enabled | ||
| start_time = var.backup_start_time | ||
| } | ||
| } | ||
|
|
||
| user_labels = var.user_labels | ||
| } | ||
| } |
There was a problem hiding this comment.
Infrastructure as Code Finding
⚫ Critical Severity'ip_configuration' is not defined (...read more)
A Google Cloud SQL instance becomes publicly accessible when it has public IP addressing enabled without proper network restrictions, creating a potential attack vector for unauthorized access. This can occur through ipv4_enabled being set to true (default) or by configuring authorized_networks with overly permissive CIDR ranges like '0.0.0.0/0' which allows connections from any IP address. To secure Cloud SQL instances, either disable public IP by setting ipv4_enabled to false and specifying a private_network (e.g., ipv4_enabled = false and private_network = "your-network-id") or restrict authorized_networks to specific trusted IP ranges (e.g., authorized_networks { name = "trusted-network", value = "10.0.0.0/24" }) rather than using '0.0.0.0/0'.
Rule ID: [b187edca-b81e-4fdc-aff4-aab57db45edb]
| database_version = var.database_version | ||
| region = var.region | ||
| settings { | ||
| tier = var.tier |
There was a problem hiding this comment.
Infrastructure as Code Finding
⚫ Critical Severity| tier = var.tier | |
| ip_configuration { | |
| require_ssl = true | |
| } | |
| tier = var.tier |
'settings.ip_configuration' is undefined or null (...read more)
Google Cloud SQL instances without SSL enabled allow unencrypted connections, which can lead to data exposure through network eavesdropping and man-in-the-middle attacks. SSL encryption provides an essential layer of security for database connections by encrypting data in transit between the client and server. To secure your Google Cloud SQL Database, you should explicitly set 'require_ssl = true' in the ip_configuration block as shown below:
settings {
ip_configuration {
require_ssl = true
}
}
Without this configuration, sensitive data such as credentials, personal information, and proprietary data could be intercepted when transmitted over the network.
Rule ID: [02474449-71aa-40a1-87ae-e14497747b00]
| resource "google_storage_bucket" "bucket" { | ||
| name = var.cloud_storage_bucket_name | ||
| location = var.region | ||
| project = var.project_name |
There was a problem hiding this comment.
Infrastructure as Code Finding
⚫ Critical Severity| project = var.project_name | |
| uniform_bucket_level_access = true | |
| project = var.project_name |
google_storage_bucket[bucket].uniform_bucket_level_access is undefined or null (...read more)
Google Storage Bucket Level Access controls access to objects at the bucket level rather than allowing fine-grained permissions at the object level. When disabled, Access Control Lists (ACLs) can be used to grant permissions to individual objects, increasing the risk of accidental exposure or misconfiguration that could lead to unauthorized access to sensitive data.
Enabling uniform bucket-level access simplifies permissions management and helps ensure consistent access control across all objects in a bucket. To secure your configuration, set 'uniform_bucket_level_access = true' in your google_storage_bucket resource as shown:
resource "google_storage_bucket" "secure_bucket" {
name = "image-store.com"
location = "EU"
uniform_bucket_level_access = true
# other configuration...
}
Rule ID: [bb0db090-5509-4853-a827-75ced0b3caa0]
romandatadog
changed the title
romandatadog
changed the title
1 participant
No description provided.