GCP PostgreSQL suspicious configuration
Description
AlphaSOC detected configuration of a GCP Cloud SQL PostgreSQL instance with
database flags that weaken security or reduce logging visibility via
cloudsql.instances.update. This includes settings such as disabling connection
logging (log_connections, log_disconnections), reducing log verbosity
(log_error_verbosity set to terse), disabling statement logging
(log_statement set to none), or allowing weak TLS versions
(ssl_min_protocol_version below TLSv1.2).
Adversaries may modify these parameters to evade detection by reducing audit trail visibility or to weaken encryption requirements for easier interception.
Impact
Weakened logging configurations reduce visibility into database activities, making it harder to detect unauthorized access, data exfiltration, or malicious queries. Allowing weak TLS versions exposes database connections to cryptographic attacks and credential interception.
Severity
| Severity | Condition |
|---|---|
Low | Suspicious database flag configuration |
Investigation and Remediation
Review GCP audit logs for the cloudsql.instances.update action and examine the
databaseFlags configuration. Identify which security-weakening flags were set
and the principal responsible.
If unauthorized, restore secure database flag configurations. Re-enable connection and statement logging, set appropriate log verbosity levels, and enforce TLSv1.2 or higher. Investigate the compromised identity and review database access logs for suspicious activity during the period of weakened security.