By default, GCP SQL instances offer encryption in transit, with support for TLS, but insecure connections are still accepted. On an unsecured network, such as a public network, the risk of traffic being intercepted is high. When the data isn’t encrypted, an attacker can intercept it and read confidential information.

When creating a GCP SQL instance, a public IP address is automatically assigned to it and connections to the SQL instance from public networks can be authorized.

TLS is automatically used when connecting to SQL instances through:

• The Cloud SQL Auth proxy.
• The Java Socket Library.
• The built-in mechanisms in the App Engine environments.

Ask Yourself Whether

Connections are not already automatically encrypted by GCP (eg: SQL Auth proxy) and

• Connections to the SQL instance are performed on untrusted networks.
• The data stored in the SQL instance is confidential.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It’s recommended to encrypt all connections to the SQL instance, whether using public or private IP addresses. However, since private networks can be considered trusted, requiring TLS in this situation is usually a lower priority task.

Sensitive Code Example

resource "google_sql_database_instance" "example" { # Sensitive: tls is not required
  name             = "noncompliant-master-instance"
  database_version = "POSTGRES_11"
  region           = "us-central1"

  settings {
    tier = "db-f1-micro"
  }
}

Compliant Solution

resource "google_sql_database_instance" "example" {
  name             = "compliant-master-instance"
  database_version = "POSTGRES_11"
  region           = "us-central1"

  settings {
    tier = "db-f1-micro"
    ip_configuration {
      require_ssl = true
      ipv4_enabled = true
    }
  }
}

See

• CWE - CWE-311 - Missing Encryption of Sensitive Data
• CWE - CWE-319 - Cleartext Transmission of Sensitive Information
• GCP Documentation - Cloud SQL: Authorizing with SSL/TLS certificates