Unexpected GCP API calls indicating Cloud SQL automatic backup configuration change
Description
AlphaSOC detected that automatic backups were disabled on a GCP Cloud SQL
instance via cloudsql.instances.update. Automatic backups provide
point-in-time recovery capabilities and are critical for data protection and
disaster recovery.
Disabling automatic backups can be a precursor to data destruction attacks or ransomware operations. Adversaries may disable backups to prevent recovery after malicious data modification or deletion.
Impact
Without automatic backups, organizations lose the ability to restore databases to a previous state after data corruption, deletion, or ransomware attacks. Recovery from incidents becomes significantly more difficult or impossible, potentially resulting in permanent data loss.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the cloudsql.instances.update action and examine the
backupConfiguration.enabled setting. Identify the principal that disabled
backups and verify if this was an authorized change.
If unauthorized, immediately re-enable automatic backups on the affected instance. Investigate the compromised identity for additional destructive activities. Verify data integrity and consider creating a manual backup immediately. Implement IAM policies to restrict backup configuration changes.