Ensures that server certificates are rotated before they expire.
Risk Level: Low
Description
This plugin ensures that the Cloud SQL server certificates are rotated before they expire. Whenever a new database instance is created, a server certificate is automatically generated. This certificate enables clients to establish a secure connection to the respective database instance. However, this certificate has an expiry date of ten years and will no longer be valid after that date.
About the Service
Google Cloud SQL:
Google Cloud SQL is a relational database for MySQL, PostgreSQL, and SQL Server that is fully managed. It automates database provisioning, storage capacity management, replication, and backups while lowering maintenance costs. It can be set up easily using the built-in migration tools and lets you scale your instances effortlessly. To know more about Cloud SQL, read here.
Impact
The SSL certificates are used when connecting an instance using its public IP address so that the data is secure during data transmission. Without using this certificate, it poses the risk of anyone reading sensitive information. If the certificate is not rotated before its expiration date then the certificate becomes invalid and can no longer be used.
Steps to Reproduce
Using GCP Console-
- Log In to your GCP Console.
- From the top navigation bar, select the GCP project you want to investigate.
- From the navigation panel on the left side of the console, go to SQL. You can use this link here to navigate directly if you’re already logged in.
- Select the ID of the SQL instance you want to investigate from the list of instances available and click on the CONNECTIONS tab to check the connectivity configurations of the selected instance.
- In the SECURITY tab, under Manage server certificates, if it says “Expires” value for certificate status “Active.” If the expiry date is very close by, then SentinelOne CNS strongly recommends rotating the certificate.
- Repeat steps 4 and 5 for all the SQL instances you want to investigate in the selected project.
- If you have multiple projects, repeat steps 2 to 6 for each project in your GCP Console.
Steps for Remediation
Make the necessary changes to rotate your SSL certificates before they expire using the steps below.
Using GCP Console-
- Log In to your GCP Console.
- From the top navigation bar, select the GCP project you want to investigate.
- From the navigation panel on the left side of the console, go to SQL. You can use this link here to navigate directly if you’re already logged in.
- Select the ID of the SQL instance you want to reconfigure in the list of instances available and click on the CONNECTIONS tab. (In case you aren’t sure which SQL instance needs to be configured, follow the steps to reproduce listed above to determine which to choose.)
- In the SECURITY tab, under Manage server certificates, click on the MANAGE CERTIFICATES button and select CREATE NEW CERTIFICATE to create a new certificate.
- Next, click on the DOWNLOAD CERTIFICATES button right below MANAGE CERTIFICATES to download your certificates in .pem form.
- Replace all your existing server-ca.pem files with the new file to integrate the new information with all your existing host clients.
- In the SECURITY tab, under Manage server certificates, click on the MANAGE CERTIFICATES button and select ROTATE CERTIFICATE to rotate your certificates.
- In the confirm certificate rotation confirmation box, click ROTATE to confirm the rotation.
- Repeat steps 5 to 9 for all the SQL instances you want to reconfigure in the selected project.
- If you have multiple projects, repeat steps 2 to 10 for each project in your GCP console.