GCP Cloud SQL instance exposed to the internet
Description
AlphaSOC detected configuration of a GCP Cloud SQL instance to allow connections
from any IP address (0.0.0.0/0) via cloudsql.instances.update. This
configuration exposes the database to the entire internet, significantly
increasing the attack surface.
Exposing a database to the public internet is a significant security risk. This allows authentication attempts from any IP address, making the database vulnerable to brute force attacks, exploitation of database vulnerabilities, and unauthorized access if credentials are compromised.
Impact
Public internet exposure of database services dramatically increases attack surface. The database becomes vulnerable to automated scanning, brute force attacks, and exploitation. Data breaches, ransomware attacks targeting databases, and regulatory compliance violations may result.
Severity
| Severity | Condition |
|---|---|
Medium | Cloud SQL authorized network includes 0.0.0.0/0 |
Investigation and Remediation
Immediately review GCP audit logs for the cloudsql.instances.update action to
identify who configured public access. Determine if there is any legitimate
business justification, which is rare for production databases.
Remove the 0.0.0.0/0 entry from authorized networks immediately unless there is documented, approved justification. Implement specific IP restrictions or use Private Service Connect for secure connectivity. Audit database connection logs for unauthorized authentication attempts and review any connections that occurred during the exposure window.