CIS GCP 6.3 (Ensure Cloud SQL requires SSL/TLS connections) requires: All Cloud SQL connections must use SSL/TLS encryption. This is a high-severity control.

How does EchelonGraph detect CIS GCP 6.3 violations?

EchelonGraph automatically detects CIS GCP 6.3 violations using scanner rule GCP-SQL-003. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS GCP 6.3?

Is SSL/TLS required for all Cloud SQL instances? What TLS version is enforced? Are client certificates required or just server-side SSL? How do you verify applications are actually using SSL connections?

🔷CIS GCP 6.3Rule: GCP-SQL-003high

Ensure Cloud SQL requires SSL/TLS connections

Description

All Cloud SQL connections must use SSL/TLS encryption.

⚠️ Risk Impact

Unencrypted database connections expose queries and data to network sniffing and man-in-the-middle attacks.

🔍 How EchelonGraph Detects This

GCP-SQL-003Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected Google Cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🖥️ Manual Verification

terminal

gcloud sql instances describe INSTANCE --format='value(settings.ipConfiguration.requireSsl)'

🔧 Remediation

Enforce SSL: gcloud sql instances patch INSTANCE --require-ssl

💀 Real-World Attack Scenario

An attacker who gained access to a VPC through a compromised VM used tcpdump to capture unencrypted database traffic. Over 48 hours, they harvested SQL query results containing customer PII, payment tokens, and session data — all transmitted in plaintext between the application server and Cloud SQL.

💰 Cost of Non-Compliance

PCI DSS non-compliance for unencrypted cardholder data in transit: $5K-$100K/month in fines. HIPAA violation for unencrypted ePHI: $100K-$1.5M per violation category.

📋 Audit Questions

1.Is SSL/TLS required for all Cloud SQL instances?
2.What TLS version is enforced?
3.Are client certificates required or just server-side SSL?
4.How do you verify applications are actually using SSL connections?

🎯 MITRE ATT&CK Mapping

T1040 — Network SniffingT1557 — Adversary-in-the-Middle

🏗️ Infrastructure as Code Fix

main.tf

resource "google_sql_database_instance" "main" {
  settings {
    ip_configuration {
      require_ssl = true
      ssl_mode    = "ENCRYPTED_ONLY"
    }
  }
}

⚡ Common Pitfalls

⛔Requiring SSL but not enforcing minimum TLS 1.2 version
⛔Not updating application connection strings to use SSL after enabling the requirement
⛔Ignoring SSL certificate expiration and renewal

📈 Business Value

Encrypted database connections prevent data interception even if network access is compromised. This is a foundational control required by PCI DSS, HIPAA, and virtually all compliance frameworks.

⏱️ Effort Estimate

Manual

1-2 hours per instance including application connection string updates

With EchelonGraph

EchelonGraph monitors SSL enforcement status across all databases

🔗 Cross-Framework References

SOC2-CC6.7ISO27001-A.10.1.1PCI-4.1

Automate CIS GCP 6.3 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →