gcloud sql 漏洞列表

Ensure that the Automatic Storage Increase feature is enabled for your production Google Cloud SQL database instances. This feature prevents database servers from running out of storage space and becoming read-only, disrupting normal operations. When a database instance runs out of available space, it can drop existing connections and cause downtime, potentially violating the Google Cloud SQL Service Level Agreement (SLA).

Ensure that an optimal limit is configured for the Automatic Storage Increase feature within your Cloud SQL database instance settings to avoid unexpected charges on your Google Cloud bill. Having no limit or an excessively high limit for this feature can lead to unplanned costs.

Ensure that automated (scheduled) backups are created for all Cloud SQL database instances available within your Google Cloud Platform (GCP) account, in order to protect against data deletion and/or data corruption.

Ensure that your Google Cloud SQL database instances are encrypted with Customer-Managed Keys (CMKs) in order to have a fine control over your data encryption and decryption process. You can create and manage your own Customer-Managed Keys (CMKs) with Cloud Key Management Service (Cloud KMS). Cloud KMS provides secure and efficient encryption key management, controlled key rotation, and revocation mechanisms.

Ensure that the "contained database authentication" database flag is disabled for your Google Cloud SQL Server database instances. This flag, when enabled, allows databases to contain their authentication and can potentially lead to security vulnerabilities.

Ensure that the "cross db ownership chaining" database flag is disabled for your Google Cloud SQL Server database instances. This flag, when enabled, can potentially introduce security risks by allowing cross-database access without explicit permissions.

Ensure that the external scripts enabled database flag is turned off for your Google Cloud SQL Server database instances in order to disable the execution of scripts with certain remote language extensions.

Ensure that all your production and mission-critical Google Cloud SQL database instances are configured for High Availability (HA) and automatic failover support. Configuring HA ensures database reliability and minimizes downtime in the event of an outage.

Ensure that the "log_checkpoints" database flag is enabled for your Google Cloud PostgreSQL database instances. The "log_checkpoints" flag allows checkpoints and restart points to be logged and included within the PostgreSQL server log.

Ensure that the "cloudsql.enable_pgaudit" and "pgaudit.log" database flags are enabled for your Google Cloud PostgreSQL server instances to enable database auditing. These configurations are crucial for compliance with government, financial, and ISO certifications.

Ensure that your Google Cloud SQL database instances are configured to accept connections only from trusted networks and IP addresses. Publicly accessible instances may expose sensitive data to unauthorized access.

Ensure that the "skip_show_database" database flag is enabled for your Google Cloud MySQL database instances in order to prevent users from using the SHOW DATABASES statement if they don't have this privilege.

Ensure that all incoming connections to your Cloud SQL database instances are encrypted with SSL/TLS to protect against eavesdropping and unauthorized access. The SSL enforcement mode must be set to "ENCRYPTED_ONLY" to enforce secure connections.

Ensure that the 3625 trace flag is turned off for all your Google Cloud SQL Server database instances to follow security best practices. Trace flag 3625 controls the format of certain error messages, which may reveal sensitive information if enabled.