By default, GCP SQL instances offer encryption in transit, with support for TLS, but insecure connections are still accepted. On an unsecured
network, such as a public network, the risk of traffic being intercepted is high. When the data isn’t encrypted, an attacker can intercept it and read
confidential information.
When creating a GCP SQL instance, a public IP address is automatically assigned to it and connections to the SQL instance from public networks can
be authorized.
TLS is automatically used when connecting to SQL instances through:
Ask Yourself Whether
Connections are not already automatically encrypted by GCP (eg: SQL Auth proxy) and
- Connections to the SQL instance are performed on untrusted networks.
- The data stored in the SQL instance is confidential.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It’s recommended to encrypt all connections to the SQL instance, whether using public or private IP addresses. However, since private networks can
be considered trusted, requiring TLS in this situation is usually a lower priority task.
Sensitive Code Example
resource "google_sql_database_instance" "example" { # Sensitive: tls is not required
name = "noncompliant-master-instance"
database_version = "POSTGRES_11"
region = "us-central1"
settings {
tier = "db-f1-micro"
}
}
Compliant Solution
resource "google_sql_database_instance" "example" {
name = "compliant-master-instance"
database_version = "POSTGRES_11"
region = "us-central1"
settings {
tier = "db-f1-micro"
ip_configuration {
require_ssl = true
ipv4_enabled = true
}
}
}
See
