CloudSQL instances can have a public IP address and be made accessible from the Internet.
Publicly accessible CloudSQL instances are vulnerable to automated brute force and exploitation attacks. This increases the likelihood that the database is compromised and used for ransomware, extortion, or leaking sensitive data.
A CloudSQL instance can either sit inside a private network with a private address or be assigned with a public IP. If it has a public IP and allows connections from 0.0.0.0/0, anyone from the internet can perform brute force, password stuffing, or denial of service on the database.
Identify affected resources
Use the following gcloud CLI commands to identify CloudSQL instances that are publicly accessible from the Internet:
gcloud sql instances list --format="value(name)" | while read instance; do echo "Checking $instance"; authorizedNetworks=$(gcloud sql instances describe $instance --format="flattened(settings.ipConfiguration.authorizedNetworks.value)") echo "$authorizedNetworks" | grep -q '0.0.0.0/0' if [[ $? == 0 ]]; then echo "WARNING: $instance is open to the Internet is publicly accessible" fi done
Remediate vulnerable resources
The first step is to restrict network access to the CloudSQL instance. For instance, you can restrict access to a known IP range used by system administrators.
gcloud sql instances patch CLOUD_SQL_INSTANCE_NAME --authorized-networks 188.8.131.52/24
Then, the best practice is to not assign CloudSQL instances public IP addresses. This will make the CloudSQL instance available only in a specific private network. See also Connect to a Cloud SQL for MySQL instance with private IP
How Datadog can help
Cloud Security Management
Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSPM Rule | SQL Database Instances only allow ingress traffic from specific IP addresses".
CloudSQL connection options
Remove an authorized IP range
Learn about using private IP
Case Study: Ransomware in the Cloud (page 8)