Google Cloud SQL
      Back to home
      1. Knowledge Base
      2. GCP Knowledge Base
      3. Google Cloud SQL

      Any Host Access For Root User Enabled

      Ensures that root access is not allowed for any host for all SQL instances.

      Risk Level: High

      Description

      This plugin ensures that the root user on the SQL instance does not have permission to be accessed by any host. User accounts are essential to access and manage the SQL databases. Whenever a new SQL instance is created, the default user is root@%.

      About the Service

      Google Cloud SQL:

      Google Cloud SQL is a relational database for MySQL, PostgreSQL, and SQL Server that is fully managed. It automates database provisioning, storage capacity management, replication, and backups while lowering maintenance costs. It can be set up easily using the built-in migration tools and lets you scale your instances effortlessly. To know more about Cloud SQL, read here

      Impact

      The default user account has all privileges and has access to do anything in the SQL instance. As a result, to ensure optimum security, PingSafe strongly recommends configuring the account to restrict host access.

      Steps to Reproduce

      Using GCP Console-

      1. Log In to your GCP Console.
      2. From the top navigation bar, select the GCP project you want to investigate.
      3. From the navigation panel on the left side of the console, go to SQL. You can use this link here to navigate directly if you’re already logged in.
      4. Select the ID of the SQL instance you want to investigate from the list of instances available and click on the USERS tab.


      5. In the list of users displayed, check the host name for the root username. If it says “% (any host)” then root access is enabled for any host and PingSafe highly advises you to update this setup.
      6. Repeat steps 4 and 5 for all the SQL instances you want to investigate in the selected project.
      7. If you have multiple projects, repeat steps 2 to 6 for each project in your GCP Console. 

      Steps for Remediation

      Determine whether or not you truly require root access for any host in your SQL instances. If not, make the necessary changes using the steps below.


      Using GCP Console-

      1. Log In to your GCP Console.
      2. From the top navigation bar, select the GCP project you want to investigate.
      3. From the navigation panel on the left side of the console, go to SQL. You can use this link here to navigate directly if you’re already logged in.
      4. Select the ID of the SQL instance you want to reconfigure from the list of instances available and click on the USERS tab. (In case you aren’t sure which SQL instance needs to be configured, follow the steps to reproduce listed above to determine which to choose.)

      5.  In the list of users displayed, click on the three-dot icon next to the root username and select Remove.
      6. Next, click on the ADD USER ACCOUNT button to add a new user.
      7. In the add user page, select Built-in authentication and enter root as the username and type your desired password (optional).
      8. In the Host name section, select Restrict host by IP address or address range and enter your desired IP address/address range in the text box provided.
      9. Click the ADD button to create the new user.
      10. Repeat steps 4 to 7 for all the SQL instances you want to reconfigure in the selected project.
      11. If you have multiple projects, repeat steps 2 to 8 for each project in your GCP console.