GCP SQL Instance should not have insecure Cross DB Ownership Chaining On

ID

gcp_sql_cross_ownership_chaining

Severity

low

Vendor

GCP

Resource

AIM

Tags

reachable

Description

The cross db ownership chaining database flag allows to control whether ownership chains can cross databases within an instance of SQL Server. This flag should be off for Google Cloud SQL instances because it can pose a security risk if multiple databases with different owners on the same instance are running.

To fix it, you must add a databaseFlags using name cross db ownership chaining and value off.

Learn more about this topic at Cloud SQL - Configure database flags.

Examples

---
- name: Create a SQL Server instance
  google.cloud.gcp_sql_instance:
    name: "test-sql-instance"
    region: us-central1
    settings:
      tier: db-custom-1-3840
      databaseVersion: SQLSERVER_2017_STANDARD
      databaseFlags:
        - name: cross db ownership chaining
          value: on
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
yaml

Mitigation / Fix

---
- name: Create a SQL Server instance
  google.cloud.gcp_sql_instance:
    name: "test-sql-instance"
    region: us-central1
    settings:
      tier: db-custom-1-3840
      databaseVersion: SQLSERVER_2017_STANDARD
      databaseFlags:
        - name: cross db ownership chaining
          value: off
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
yaml