GCP Cloud SQL instance SSL enforcement disabled
Description
AlphaSOC detected that SSL enforcement was disabled on a GCP Cloud SQL instance
via cloudsql.instances.update by setting sslMode to
ALLOW_UNENCRYPTED_AND_ENCRYPTED. This configuration allows unencrypted
connections to the database, exposing data in transit to interception.
Adversaries may disable SSL enforcement to facilitate credential harvesting
through man-in-the-middle attacks.
Impact
Allowing unencrypted database connections exposes credentials and query data to interception. Attackers positioned on the network can capture database credentials, sensitive query results, and other confidential information. This may also result in violations of regulatory and organizational compliance requirements.
Severity
| Severity | Condition |
|---|---|
Low | SSL enforcement disabled |
Investigation and Remediation
Review GCP audit logs for the cloudsql.instances.update action and examine the
ipConfiguration.sslMode setting. Identify the principal that disabled SSL
enforcement and verify if this was an authorized change.
If unauthorized, immediately re-enable SSL enforcement by setting sslMode to
ENCRYPTED_ONLY. Rotate database credentials that may have been exposed during
the period of disabled encryption. Investigate the compromised identity and
review database connection logs for suspicious activity.