Ensure that Cloud SQL Database Instances Are Not Wide Open to the Internet.
The database is a critical part of your application. It's where all of the important data is stored and as such, it's likely to be a target for attackers. Cloud SQL databases can also act as sources of information, such as credentials or other secrets that could be used to access other parts of your infrastructure.
To ensure that your Cloud SQL database instances are not wide open to the Internet:
- Enable access control for each user-created database instance by creating a user account with limited privileges (for example, read only), rather than using guest accounts. This helps prevent unauthorized access if attackers gain control over one or more accounts within your organization.
- Make sure that your database is not wide open to the Internet. You must have a firewall set up and a good security plan in place. This will help you protect against common attacks, such as SQL injection and cross-site scripting (XSS).
- Ensure that you have a good security team in place, including one or more dedicated engineers who know what they're doing (and can get it done) with respect to all things related to Cloud SQL databases.
If you cannot or do not want to configure your network in such a way as to prevent direct access from the Internet, there are other options. For example:
- Using a VPN to connect through an internal connection will allow you to access your database directly without risking it being accessed over the internet.
- If you need more control than VPNs offer, use firewalls and IPTables rules on the server itself (or use a proxy).
- If you want better protection against DDoS attacks, use a load balancer in front of it so that only legitimate requests get through
Logging and Audit Trails
When it comes to cloud security, you can't be too careful. Ensuring that all of your sensitive data is safe is a big deal for auditors and compliance officers. But what about the rest of us?
Audit trails are also useful for catching bugs in your software—finding out exactly what went wrong when an error occurred. They're also great for debugging; if something isn't working right, having access to a record of all previous events can help you figure out where things went wrong.
As a result, we recommend that you do not allow Cloud SQL database instances to be accessible from the Internet. For more information visit our website, www.cloudmatos.com, and see how CloudMatos can help you.