SSL connections to a SQL database instance should be enforced.
Default Severity: high
Explanation
In-transit data should be encrypted so that if traffic is intercepted data will not be exposed in plaintext to attackers.
Possible Impact
Intercepted data can be read in transit
Suggested Resolution
Enforce SSL for all connections
Insecure Example
The following example will fail the google-sql-encrypt-in-transit-data check.
resource "google_sql_database_instance" "postgres" {
name = "postgres-instance-a"
database_version = "POSTGRES_11"
settings {
tier = "db-f1-micro"
ip_configuration {
ipv4_enabled = false
authorized_networks {
value = "108.12.12.0/24"
name = "internal"
}
require_ssl = false
}
}
}
Secure Example
The following example will pass the google-sql-encrypt-in-transit-data check.
resource "google_sql_database_instance" "postgres" {
name = "postgres-instance-a"
database_version = "POSTGRES_11"
settings {
tier = "db-f1-micro"
ip_configuration {
ipv4_enabled = false
authorized_networks {
value = "108.12.12.0/24"
name = "internal"
}
require_ssl = true
}
}
}