Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for GCP Cloud SQL

GCP Cloud SQL
GCP Cloud SQL icon

Out-of-the-Box Security For GCP Cloud SQL Includes:

Alerts - 8

Stay on top of GCP Cloud SQL key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Database Export by New User

This alert gets triggered when a bulk database data export command is executed by an unseen user in the last 1 month. Each SQL database data export consists of one or more rows to be exported into the table in the target database. Each row in the data export will be added to the table, update an existing row in the table, or be ignored. Impact It's essential to meticulously examine and confirm the data export event, encompassing specifics such as the destination bucket, data type, user access levels allocated to the destination bucket, and current security protocols. The seriousness of this alert merits heightened scrutiny, particularly if the user is new according to historical data from the past month or entirely new altogether, as they could potentially be an attacker or a recently added user. Mitigation Inspect the destination buckets and the newly assigned user to guarantee the data's security. Verify the user's permissions and scrutinize their authorization request, ensuring it provides a valid justification for the necessity of the data export. Proceed with subsequent actions as warranted. If valid justification is not furnished, halt the data export process. MITRE Tactic: TA0010 MITRE Technique: T1537

Multiple Database Instances Deleted

This alert gets triggered when multiple database instances are deleted. Note: In this alert, the threshold is set to more than 5 databases in 20 minutes. Feel free to modify it as per your business environment. Impact The MySQL instance stores a wide range of data, encompassing both business-critical information and test data for quality assurance purposes. Mass deletion of data suggests a potential issue or could be a legitimate activity conducted by the team as part of a scheduled sunset process. Deleting the instance could result in the permanent loss of your database and its records, which could significantly disrupt your organization's operations, erode customer trust and safety, and affect connected applications. Mitigation You have the option to delete a Cloud SQL instance either through the gcloud CLI or the API. Please note: Before proceeding with deletion, ensure it is safe to do so. Additionally, verify that deletion protection is disabled for the instance. Since this appears to be a bulk deletion, reach out to the user and request a business justification, considering the type of instance being deleted. Subsequently, take appropriate actions based on the provided justification. MITRE Tactic: TA0040 MITRE Technique: T1489

Database Backup Was Deleted

This alert gets triggered when a SQL database backup is deleted by a user. By default, for each instance, Cloud SQL retains seven automated backups, in addition to on-demand backups. You can configure how many automated backups to retain (from 1 to 365). We charge a lower rate for backup storage than for other types of instances. You can retain more, but not less than seven automated backups. Impact Having a database backup is crucial in scenarios of primary data loss or unavailability. Deleting backups for critical and production databases could result in losing the last resort for accessing data if the primary database is deleted, inaccessible, or altered. This could significantly impact the organization's reputation, client trust, and business continuity due to data unavailability, especially in the event of a ransomware attack. Mitigation Ensure that backups are consistently enabled for production and critical databases. In the event that such a situation arises for genuine databases, reach out to the user and attempt to restore the backup if feasible. Additionally, restrict permissions for such critical changes solely to administrators. MITRE Tactic: TA0040 MITRE Technique: T1485

MySQL Database Launched Without Password Policy

This alert gets triggered when a MySQL database is launched without a password policy. A password policy for instance can include the following options: Minimum length: specify the minimum number of characters that the password must have. Password complexity: check if the password is a combination of lowercase, uppercase, numeric, and non-alphanumeric characters. Note: If need more genuine and critical alerts, whitelist the QA and sandbox labels in the query to trigger only for production databases. Impact Implementing a password policy enhances database security by allowing administrators to determine password complexity. Without a password in place, any user within the project can access the database, even if deletion or editing permissions are limited. Consequently, this policy poses several threats, including unauthorized access, compromised data confidentiality, and increased accessibility. Mitigation Examine the database type and its associated details. If it appears to be a critical or production database, contact the user and request them to adjust the settings to enforce a complex password as per the password policy. If there is a valid business justification and it's not a critical database, you may proceed to close the case. MITRE Tactic: TA0005 MITRE Technique: T1578

Delete Protection Disabled for Existing Database

This alert gets triggered when a delete protection is disabled for the existing databases where the protection was enabled earlier and not it has been disabled. Note: For more finetuning, please add some labeling for the production and critical databases. So, the QA and sandbox type of events can be ignored. Impact This occurrence could endanger your critical and production databases, lacking an additional layer of confirmation for database deletion. Consequently, such instances could lead to data loss, disruptions in business operations, loss of client data, damage to reputation, and potential regulatory consequences. Mitigation Implementing delete protection will enhance the security of critical databases by requiring confirmation even if a user unintentionally or intentionally attempts to delete them. Therefore, when disabling this protection, it's essential to reach out to the user for verification and ensure that the database is not in use before proceeding with the change. MITRE Tactic: TA0005 MITRE Technique: T1578

Instance Data Export Query Launched

This alert gets triggered when a bulk database data export command is executed by a user. Each SQL database data export consists of one or more rows to be exported into the table in the target database. Each row in the data export will be added to the table, update an existing row in the table, or be ignored. Impact It's crucial to thoroughly review and verify the data export event, including details such as the destination bucket, data type, user access levels assigned to the destination bucket, and existing security measures. Misconfiguration and the wrong destination could pose a significant security risk to your critical databases and their data. If any unauthorized users are found to have access to the destination bucket, it could further compromise data confidentiality and integrity. Mitigation Examine the destination buckets and the users assigned to ensure the security of the data. Request valid justification for why the data export is necessary, and proceed with the next steps accordingly. If valid justification is not provided, cease the data export process. MITRE Tactic: TA0010 MITRE Technique: T1537

SQL Instance Launched Without Delete Protection

This alert gets triggered when an SQL instance is launched without database deletion protection. This configuration poses a potential risk to your database and its data, as it allows the user/administrator to delete the database at any time without any restrictions. Note: If need more genuine and critical alerts, whitelist the QA and sandbox labels in the query to trigger only for production databases. Impact This occurrence could jeopardize your critical and production databases since there is no additional layer of confirmation required for deleting them. Consequently, in such scenarios, you might face data loss, disruptions to business operations, loss of client data, damage to reputation, and potential regulatory consequences. Mitigation Enabling delete protection will enhance the security of critical databases by prompting users to confirm any delete actions, whether accidental or intentional. Therefore, please filter this query for production databases and ensure that delete protection is enabled for critical and production databases. Furthermore, consider enabling automatic backups for critical databases at all times. MITRE Tactic: TA0040 MITRE Technique: T1485

No Logs From Cloud SQL in Last 12 Hours

This alert gets triggered when there are no logs received from cloud SQL in the last 12 hours. Impact This situation may arise due to an integration issue, or it may indicate a lack of activity from the relevant log service. Not receiving any logs within the past 12 hours could have repercussions on your security operations and log monitoring. During this period, critical events might have occurred unnoticed, potentially enabling attackers to exploit any security gaps. Examples of such activities include privilege escalation, data exfiltration, unusual behavior, and data import/export. Mitigation Examine the most recent logs received from Cloud SQL to confirm whether the integration is set up correctly. Additionally, verify if there have been no recent events from Cloud SQL. If not, reach out to the engineering team to reconfigure the integration and pinpoint the underlying issue to ensure that logs begin to flow as anticipated. MITRE Tactic: TA0005 MITRE Technique: T1562

Documentation

Learn more about Coralogix's out-of-the-box integration with GCP Cloud SQL in our documentation.

Read More
Schedule Demo