Unexpected GCP API calls indicating Cloud SQL instance modification
Description
AlphaSOC detected modifications to a Google Cloud SQL database instance via
cloudsql.instances.update. Cloud SQL instances may be modified to enable
public IP access, change network settings, or alter security configurations.
Attackers may modify instance settings to facilitate data exfiltration or
establish unauthorized access to databases.
Impact
Unauthorized Cloud SQL modifications can expose databases to the public internet, weaken authentication requirements, or disable security features. This significantly increases the attack surface and may allow attackers to access, modify, or exfiltrate sensitive data stored in the database. Network changes may also enable lateral movement within the cloud environment.
Severity
| Severity | Condition |
|---|---|
Informational | GCP API calls indicating Cloud SQL instance modification |
Low | Unexpected GCP API calls indicating Cloud SQL instance modification |
Medium | Suspicious GCP API calls indicating Cloud SQL instance modification |
Investigation and Remediation
Review the specific changes made to the Cloud SQL instance configuration. Verify the identity of the user who made the modifications and confirm the action was authorized. Check for changes to network settings, public IP enablement, SSL requirements, or authentication policies. If unauthorized changes are detected, revert to the previous configuration and investigate the user's account for compromise.
Known False Positives
- Legitimate database administration and maintenance activities
- Automated configuration management or infrastructure-as-code deployments
- Scaling operations or performance tuning by administrators