CIS GCP 6.1 (Ensure Cloud SQL instances are not publicly accessible) requires: Cloud SQL instances should not have public IP addresses enabled. This is a critical-severity control.

How does EchelonGraph detect CIS GCP 6.1 violations?

EchelonGraph automatically detects CIS GCP 6.1 violations using scanner rule GCP-SQL-001. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS GCP 6.1?

List all Cloud SQL instances with public IP enabled. What authorized networks are configured? Are any instances using 0.0.0.0/0 as an authorized network? Is Cloud SQL Auth Proxy deployed for all application connections?

🔷CIS GCP 6.1Rule: GCP-SQL-001critical

Ensure Cloud SQL instances are not publicly accessible

Description

Cloud SQL instances should not have public IP addresses enabled.

⚠️ Risk Impact

Public SQL instances are directly exposed to the internet, enabling brute-force attacks, SQL injection from any source, and data exfiltration.

🔍 How EchelonGraph Detects This

GCP-SQL-001Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected Google Cloud accounts. Violations are flagged as critical-severity findings with remediation guidance.

🖥️ Manual Verification

terminal

gcloud sql instances list --format='table(name,settings.ipConfiguration.ipv4Enabled,settings.ipConfiguration.authorizedNetworks)'

🔧 Remediation

Disable public IP and use Private IP with VPC peering. Use Cloud SQL Auth proxy for secure connections.

💀 Real-World Attack Scenario

A Cloud SQL PostgreSQL instance with a public IP was discovered via Shodan. The attacker exploited a weak database password and accessed the production database containing 1.2M customer records. They installed a persistent backdoor via a PostgreSQL extension and exfiltrated data nightly for 6 months.

💰 Cost of Non-Compliance

Average database breach cost: $4.88M. HIPAA penalty for exposed ePHI via public database: up to $1.9M/year. PCI DSS non-compliance fine for public CDE database: $5K-$100K/month.

📋 Audit Questions

1.List all Cloud SQL instances with public IP enabled.
2.What authorized networks are configured?
3.Are any instances using 0.0.0.0/0 as an authorized network?
4.Is Cloud SQL Auth Proxy deployed for all application connections?

🎯 MITRE ATT&CK Mapping

T1190 — Exploit Public-Facing ApplicationT1110 — Brute ForceT1505.001 — SQL Stored Procedures

🏗️ Infrastructure as Code Fix

main.tf

resource "google_sql_database_instance" "main" {
  name             = "production-db"
  database_version = "POSTGRES_15"
  settings {
    ip_configuration {
      ipv4_enabled    = false
      private_network = google_compute_network.vpc.id
    }
  }
}

⚡ Common Pitfalls

⛔Enabling public IP 'temporarily' for data migration and forgetting to disable it
⛔Adding 0.0.0.0/0 to authorized networks for quick debugging
⛔Not using Cloud SQL Auth Proxy, requiring direct IP connectivity

📈 Business Value

Private-only database access eliminates the entire class of internet-facing database attacks. Combined with Cloud SQL Auth Proxy, it provides IAM-based authentication without managing database passwords.

⏱️ Effort Estimate

Manual

2-4 hours to migrate from public to private IP per instance

With EchelonGraph

EchelonGraph detects public SQL instances in real-time across all projects

🔗 Cross-Framework References

SOC2-CC6.6ISO27001-A.13.1.3PCI-1.3.6HIPAA-164.312(e)(1)

Automate CIS GCP 6.1 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →