chore: add gcp/cloudsql metadata update to changelog

prowler/CHANGELOG.md

@@ -14,6 +14,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS SQS service metadata to new format [(#9429)](https://github.com/prowler-cloud/prowler/pull/9429)
 - Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427)
 - Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408)
+- Update GCP Cloud SQL service metadata to new format [(#9639)](https://github.com/prowler-cloud/prowler/pull/9639)
+
 
 ---
 

prowler/providers/gcp/services/cloudsql/cloudsql_instance_automated_backups/cloudsql_instance_automated_backups.metadata.json

@@ -1,29 +1,35 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_automated_backups",
-  "CheckTitle": "Ensure That Cloud SQL Database Instances Are Configured With Automated Backups",
+  "CheckTitle": "Cloud SQL database instance has automated backups configured",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "Description": "Ensure That Cloud SQL Database Instances Are Configured With Automated Backups",
-  "Risk": "Backups provide a way to restore a Cloud SQL instance to recover lost data or recover from a problem with that instance. Automated backups need to be set for any instance that contains data that should be protected from loss or damage. This recommendation is applicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2 instances.",
+  "Severity": "high",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL instances** are checked for **automated backups** being configured to run on a schedule and support point-in-time recovery.",
+  "Risk": "Absent **automated backups**, unintended deletes, corruption, or ransomware can become irreversible. This degrades data **integrity** and **availability**, removes point-in-time recovery options, and widens `RPO`/`RTO`, causing prolonged outages and incomplete restoration after incidents or schema changes.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/enable-automated-backups.html",
+    "https://cloud.google.com/sql/docs/postgres/configure-ssl-instance/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch <INSTANCE_NAME> --backup-start-time <[HH:MM]>",
+      "CLI": "gcloud sql instances patch <INSTANCE_NAME> --backup-start-time <HH:MM>",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/enable-automated-backups.html",
-      "Terraform": ""
+      "Other": "1. In Google Cloud Console, go to Cloud SQL > Instances\n2. Click your instance name, then click Edit\n3. In the Backups section, enable Automated backups and set a Start time\n4. Click Save to apply",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_id>\"\n  database_version = \"POSTGRES_14\"\n  region           = \"<REGION>\"\n\n  settings {\n    tier = \"db-custom-1-3840\"\n\n    backup_configuration {\n      enabled    = true      # Critical: turns on automated backups\n      start_time = \"02:00\"  # Critical: required to enable backups and set start time\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended to have all SQL database instances set to enable automated backups.",
-      "Url": "https://cloud.google.com/sql/docs/postgres/configure-ssl-instance/"
+      "Text": "Enable **automated backups** on all Cloud SQL instances holding important data. Set retention and schedules to meet `RPO`/`RTO`, and enable point-in-time recovery. Apply **least privilege** to backup access, use **separation of duties**, consider cross-region resilience, and regularly test restores with monitoring and alerts for failures.",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_automated_backups"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/gcp/services/cloudsql/cloudsql_instance_mysql_local_infile_flag/cloudsql_instance_mysql_local_infile_flag.metadata.json

@@ -1,29 +1,41 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_mysql_local_infile_flag",
-  "CheckTitle": "Ensure That the Local_infile Database Flag for a Cloud SQL MySQL Instance Is Set to Off",
+  "CheckTitle": "Cloud SQL MySQL instance has the local_infile database flag set to off",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "Description": "Ensure That the Local_infile Database Flag for a Cloud SQL MySQL Instance Is Set to Off",
-  "Risk": "The local_infile flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the local_infile setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.",
+  "Severity": "high",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL for MySQL** instances are evaluated for the `local_infile` database flag being explicitly set to `off`, disabling use of `LOAD DATA LOCAL`.\n\nInstances where `local_infile` is absent or not `off` are identified.",
+  "Risk": "With `local_infile` enabled, clients can send local files via `LOAD DATA LOCAL`. A stolen credential or SQL injection can coerce clients to leak files and mass-ingest unvetted data, compromising **confidentiality** and **integrity**, and aiding lateral movement through secrets imported into the database.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.prowler.com/checks/gcp/cloud-sql-policies/bc_gcp_sql_1#terraform",
+    "https://cloud-kb.sentinelone.com/mysql-local-infile-enabled",
+    "https://support.icompaas.com/support/solutions/articles/62000233031-6-1-3-ensure-that-the-local-infile-database-flag-for-a-cloud-sql-mysql-instance-is-set-to-off-au",
+    "https://www.cloudanix.com/misconfig/gcp/gcpsqlmonitoring",
+    "https://cloud.google.com/sql/docs/mysql/flags",
+    "https://stackoverflow.com/questions/56799504/loading-csv-into-cloudsql",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/disable-local-infile-flag.html",
+    "https://docs.prowler.com/checks/gcp/cloud-sql-policies/bc_gcp_sql_1/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch INSTANCE_NAME --database-flags local_infile=off",
+      "CLI": "gcloud sql instances patch <INSTANCE_NAME> --database-flags=local_infile=off",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/disable-local-infile-flag.html",
-      "Terraform": "https://docs.prowler.com/checks/gcp/cloud-sql-policies/bc_gcp_sql_1#terraform"
+      "Other": "1. In Google Cloud Console, go to SQL\n2. Select the MySQL instance and click Edit\n3. In Database flags, add or locate \"local_infile\" and set it to Off\n4. Click Save to apply changes",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  database_version = \"MYSQL_8_0\"\n  region           = \"<example_region>\"\n\n  settings {\n    tier = \"<example_tier>\"\n    # Critical: disables LOCAL INFILE to pass the check\n    database_flags {\n      name  = \"local_infile\"  # sets the specific flag\n      value = \"off\"           # required value for compliance\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off.",
-      "Url": "https://cloud.google.com/sql/docs/mysql/flags"
+      "Text": "Keep `local_infile` set to `off`. Use governed import channels (e.g., controlled object storage imports) and enforce **least privilege** for bulk-loading. Apply **separation of duties** between ingestion and admin roles, validate file sources and formats, and monitor high-volume loads. *If ever needed, enable only briefly for vetted tasks.*",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_mysql_local_infile_flag"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/gcp/services/cloudsql/cloudsql_instance_mysql_skip_show_database_flag/cloudsql_instance_mysql_skip_show_database_flag.metadata.json

@@ -1,29 +1,40 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_mysql_skip_show_database_flag",
-  "CheckTitle": "Ensure Skip_show_database Database Flag for Cloud SQL MySQL Instance Is Set to On",
+  "CheckTitle": "Cloud SQL MySQL instance has skip_show_database flag set to on",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "Description": "Ensure Skip_show_database Database Flag for Cloud SQL MySQL Instance Is Set to On",
-  "Risk": "'skip_show_database' database flag prevents people from using the SHOW DATABASES statement if they do not have the SHOW DATABASES privilege.",
+  "Severity": "low",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL MySQL** instances configure the `skip_show_database` database flag to `on`, limiting use of `SHOW DATABASES` to accounts with the `SHOW DATABASES` privilege.",
+  "Risk": "Without `skip_show_database` set to `on`, database names can be exposed to unprivileged users, reducing **confidentiality**. Attackers can perform schema **enumeration** and targeted probing, enabling **lateral movement** and privilege escalation against specific datasets.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.icompaas.com/support/solutions/articles/62000233030-6-1-2-ensure-skip-show-database-database-flag-for-cloud-sql-mysql-instance-is-set-to-on-automate",
+    "https://hub.steampipe.io/mods/turbot/gcp_compliance/controls/control.sql_instance_mysql_skip_show_database_flag_on",
+    "https://guides.spectralops.io/docs/d9_gcp_vln_05",
+    "https://docs.datadoghq.com/security/default_rules/def-000-ht8/",
+    "https://cloud.google.com/sql/docs/mysql/flags",
+    "https://www.cloudanix.com/docs/gcp/audit/gcpsqlmonitoring/rules/sql_skip_show_database_flag",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/enable-skip-show-database-flag.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch INSTANCE_NAME --database-flags skip_show_database=on",
+      "CLI": "gcloud sql instances patch <INSTANCE_NAME> --database-flags=skip_show_database=on",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/enable-skip-show-database-flag.html",
-      "Terraform": ""
+      "Other": "1. In Google Cloud Console, go to Cloud SQL > Instances\n2. Open your MySQL instance and click Edit\n3. Under Flags, click Add item, select skip_show_database, set value to ON\n4. Click Save",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  database_version = \"MYSQL_8_0\"\n  region           = \"<example_region>\"\n\n  settings {\n    tier = \"db-custom-1-3840\"\n\n    database_flags {\n      name  = \"skip_show_database\"   # Critical: enforce hiding databases from users without SHOW DATABASES privilege\n      value = \"on\"                   # Critical: set flag to 'on' to pass the check\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended to set skip_show_database database flag for Cloud SQL Mysql instance to on.",
-      "Url": "https://cloud.google.com/sql/docs/mysql/flags"
+      "Text": "Set `skip_show_database` to `on` for all Cloud SQL MySQL instances. Enforce **least privilege** by granting `SHOW DATABASES` only when necessary and reviewing roles regularly. Use **defense in depth**: monitor access and admin actions, and plan changes in maintenance windows as flag updates may trigger restarts.",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_mysql_skip_show_database_flag"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_enable_pgaudit_flag/cloudsql_instance_postgres_enable_pgaudit_flag.metadata.json

@@ -1,29 +1,40 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_postgres_enable_pgaudit_flag",
-  "CheckTitle": "Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging",
+  "CheckTitle": "Cloud SQL PostgreSQL instance has 'cloudsql.enable_pgaudit' flag set to 'on'",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "Description": "Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging",
-  "Risk": "Ensure cloudsql.enable_pgaudit database flag for Cloud SQL PostgreSQL instance is set to on to allow for centralized logging.",
+  "Severity": "high",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL for PostgreSQL** instances are evaluated for the database flag `cloudsql.enable_pgaudit` being set to `on`",
+  "Risk": "Without `cloudsql.enable_pgaudit`, **database activity** lacks granular audit trails. Undetected reads/writes enable insider abuse, credential reuse, or SQL injection without evidence, harming **confidentiality** and **integrity**. Poor traceability slows incident response, forensics, and undermines compliance.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cloud.google.com/sql/docs/postgres/flags",
+    "https://www.skills.google/focuses/22793?parent=catalog",
+    "https://stackoverflow.com/questions/65291896/gcp-cloud-sql-query-logging-for-postgres",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/postgre-sql-audit-flag.html",
+    "https://medium.com/google-cloud/audit-logs-on-steroids-with-cloud-sql-for-postgresql-and-pgaudit-d1fdf8725faf",
+    "https://docs.cloud.google.com/sql/docs/postgres/pg-audit"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch INSTANCE_NAME --database-flags cloudsql.enable_pgaudit=On",
+      "CLI": "gcloud sql instances patch <example_resource_id> --database-flags cloudsql.enable_pgaudit=on",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/postgre-sql-audit-flag.html",
-      "Terraform": ""
+      "Other": "1. In Google Cloud Console, go to SQL\n2. Select your PostgreSQL instance and click Edit\n3. In Database flags, click Add item\n4. Set Flag to cloudsql.enable_pgaudit and Value to on\n5. Click Save and restart if prompted",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_id>\"\n  region           = \"us-central1\"\n  database_version = \"POSTGRES_14\"\n\n  settings {\n    tier = \"db-custom-1-3840\"\n    database_flags {\n      name  = \"cloudsql.enable_pgaudit\"  # Critical: enable pgAudit\n      value = \"on\"                        # Critical: set flag to 'on' to pass the check\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "As numerous other recommendations in this section consist of turning on flags for logging purposes, your organization will need a way to manage these logs. You may have a solution already in place. If you do not, consider installing and enabling the open source pgaudit extension within PostgreSQL and enabling its corresponding flag of cloudsql.enable_pgaudit. This flag and installing the extension enables database auditing in PostgreSQL through the open-source pgAudit extension. This extension provides detailed session and object logging to comply with government, financial, & ISO standards and provides auditing capabilities to mitigate threats by monitoring security events on the instance. Enabling the flag and settings later in this recommendation will send these logs to Google Logs Explorer so that you can access them in a central location.",
-      "Url": "https://cloud.google.com/sql/docs/postgres/flags"
+      "Text": "Enable `cloudsql.enable_pgaudit` and configure **pgAudit** to log required classes (e.g., `read`, `write`, `ddl`) under least privilege. Centralize logs, enforce retention and RBAC, and monitor with alerts. *Scope auditing to sensitive data to reduce noise and overhead, and review coverage regularly.*",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_postgres_enable_pgaudit_flag"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging",
+    "forensics-ready"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_connections_flag/cloudsql_instance_postgres_log_connections_flag.metadata.json

@@ -1,29 +1,36 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_postgres_log_connections_flag",
-  "CheckTitle": "Ensure That the Log_connections Database Flag for Cloud SQL PostgreSQL Instance Is Set to On",
+  "CheckTitle": "Cloud SQL PostgreSQL instance has log_connections flag set to on",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "Description": "Ensure That the Log_connections Database Flag for Cloud SQL PostgreSQL Instance Is Set to On",
-  "Risk": "Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL for PostgreSQL** instances have the `log_connections` flag set to `on`, causing the server to record every connection attempt and the result of client authentication.",
+  "Risk": "Without connection logs, unauthorized access attempts can go unnoticed. Attackers may brute-force or reuse credentials without audit evidence, enabling stealthy data access (**confidentiality**), changes via compromised accounts (**integrity**), and connection floods that impact service (**availability**).",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cloud.google.com/sql/docs/postgres/flags",
+    "https://docs.prowler.com/checks/gcp/cloud-sql-policies/bc_gcp_sql_3#terraform",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/enable-log-connections-flag.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch INSTANCE_NAME --database-flags log_connections=on",
+      "CLI": "gcloud sql instances patch <INSTANCE_NAME> --database-flags=log_connections=on",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/enable-log-connections-flag.html",
-      "Terraform": "https://docs.prowler.com/checks/gcp/cloud-sql-policies/bc_gcp_sql_3#terraform"
+      "Other": "1. In Google Cloud Console, go to Cloud SQL > Instances\n2. Open your PostgreSQL instance and click Edit\n3. In Flags, click Add item, select log_connections, set value to on\n4. Click Save and confirm the restart",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  database_version = \"POSTGRES_14\"\n  region           = \"<region>\"\n\n  settings {\n    tier = \"db-f1-micro\"\n\n    # Critical: enables connection logging to pass the check\n    database_flags {\n      name  = \"log_connections\"  # critical\n      value = \"on\"                # critical\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "PostgreSQL does not log attempted connections by default. Enabling the log_connections setting will create log entries for each attempted connection as well as successful completion of client authentication which can be useful in troubleshooting issues and to determine any unusual connection attempts to the server.",
-      "Url": "https://cloud.google.com/sql/docs/postgres/flags"
+      "Text": "Enable `log_connections`=`on` for all PostgreSQL instances.\n- Apply **defense in depth**: also capture disconnects and audit events\n- Centralize logs, retain them, and alert on anomalies\n- Enforce **least privilege** and strong authentication to reduce exposure and improve detection",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_postgres_log_connections_flag"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_disconnections_flag/cloudsql_instance_postgres_log_disconnections_flag.metadata.json

@@ -1,29 +1,36 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_postgres_log_disconnections_flag",
-  "CheckTitle": "Ensure That the log_disconnections Database Flag for Cloud SQL PostgreSQL Instance Is Set to On",
+  "CheckTitle": "Cloud SQL PostgreSQL instance has log_disconnections flag set to on",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "Description": "Ensure That the log_disconnections Database Flag for Cloud SQL PostgreSQL Instance Is Set to On",
-  "Risk": "PostgreSQL does not log session details such as duration and session end by default. Enabling the log_disconnections setting will create log entries at the end of each session which can be useful in troubleshooting issues and determine any unusual activity across a time period.",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL for PostgreSQL** instances have the `log_disconnections` flag set to `on`, creating a record each time a client session ends, including its duration and status",
+  "Risk": "Without **disconnection logs**, session lifecycles lack visibility, obscuring **credential misuse**, **session hijacking**, and short-lived data exfiltration.\n\nWeak audit trails hinder correlation and forensics, undermining confidentiality and integrity and slowing incident response.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.prowler.com/checks/gcp/cloud-sql-policies/bc_gcp_sql_4#terraform",
+    "https://cloud.google.com/sql/docs/postgres/flags",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/enable-log-connections-flag.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch INSTANCE_NAME --database-flags log_disconnections=on",
+      "CLI": "gcloud sql instances patch <example_resource_name> --database-flags=log_disconnections=on",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/enable-log-connections-flag.html",
-      "Terraform": "https://docs.prowler.com/checks/gcp/cloud-sql-policies/bc_gcp_sql_4#terraform"
+      "Other": "1. In Google Cloud Console, go to Cloud SQL > Instances\n2. Click your PostgreSQL instance\n3. Click Edit\n4. In Database flags, click Add item\n5. Select log_disconnections and set value to on\n6. Click Save and confirm the restart",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  region           = \"<REGION>\"\n  database_version = \"POSTGRES_14\"\n\n  settings {\n    tier = \"<TIER>\"\n\n    # Critical: enable disconnect logging\n    database_flags {\n      name  = \"log_disconnections\"  # sets the required flag\n      value = \"on\"                   # ensures the check passes\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enabling the log_disconnections setting logs the end of each session, including the session duration.",
-      "Url": "https://cloud.google.com/sql/docs/postgres/flags"
+      "Text": "Enable `log_disconnections=on` to ensure complete session auditing.\n- Pair with `log_connections` and a consistent `log_line_prefix`\n- Centralize and retain logs; alert on anomalies\n- Apply **defense in depth** with routine review of access and audit events",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_postgres_log_disconnections_flag"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_error_verbosity_flag/cloudsql_instance_postgres_log_error_verbosity_flag.metadata.json

@@ -1,29 +1,34 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_postgres_log_error_verbosity_flag",
-  "CheckTitle": "Ensure Log_error_verbosity Database Flag for Cloud SQL PostgreSQL Instance Is Set to DEFAULT or Stricter",
+  "CheckTitle": "Cloud SQL PostgreSQL instance has log_error_verbosity flag set to default",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "Description": "Ensure Log_error_verbosity Database Flag for Cloud SQL PostgreSQL Instance Is Set to DEFAULT or Stricter",
-  "Risk": "The log_error_verbosity flag controls the verbosity/details of messages logged.TERSE excludes the logging of DETAIL, HINT, QUERY, and CONTEXT error information. VERBOSE output includes the SQLSTATE error code, source code file name, function name, and line number that generated the error. Ensure an appropriate value is set to 'DEFAULT' or stricter.",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL for PostgreSQL** evaluates the `log_error_verbosity` database flag and expects the value `default`.\n\nConfigurations using `terse` or `verbose` are flagged as deviations.",
+  "Risk": "With `verbose`, logs may reveal SQLSTATE, code paths, and function details, aiding recon and leaking metadata (**confidentiality**). With `terse`, missing DETAIL/HINT/CONTEXT hinders detection and forensics, reducing **integrity** of investigations and **availability** of operational insight.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cloud.google.com/sql/docs/postgres/flags"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch INSTANCE_NAME --database-flags log_error_verbosity=default",
+      "CLI": "gcloud sql instances patch <INSTANCE_NAME> --database-flags=log_error_verbosity=default",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. In Google Cloud Console, go to Cloud SQL > Instances\n2. Open the PostgreSQL instance\n3. Click Edit\n4. In Database flags, set log_error_verbosity to default (or remove the custom value)\n5. Click Save (the instance may restart)",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"main\" {\n  name             = \"<example_resource_name>\"\n  region           = \"<example_region>\"\n  database_version = \"POSTGRES_14\"\n\n  settings {\n    tier = \"<example_machine_tier>\"\n\n    database_flags {\n      name  = \"log_error_verbosity\"\n      value = \"default\" # Critical: sets the flag to default to pass the check\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Auditing helps in troubleshooting operational problems and also permits forensic analysis. If log_error_verbosity is not set to the correct value, too many details or too few details may be logged. This flag should be configured with a value of 'DEFAULT' or stricter. This recommendation is applicable to PostgreSQL database instances.",
-      "Url": "https://cloud.google.com/sql/docs/postgres/flags"
+      "Text": "Set `log_error_verbosity` to `default` to balance **data minimization** and **observability**.\n\n- Avoid `verbose` in production; restrict log access (least privilege)\n- Avoid `terse` except briefly to curb noise\n- Centralize logs with retention and tamper protection for **defense in depth**",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_postgres_log_error_verbosity_flag"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_duration_statement_flag/cloudsql_instance_postgres_log_min_duration_statement_flag.metadata.json

@@ -1,29 +1,35 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_postgres_log_min_duration_statement_flag",
-  "CheckTitle": "Ensure that the Log_min_duration_statement Flag for a Cloud SQL PostgreSQL Instance Is Set to -1",
+  "CheckTitle": "Cloud SQL PostgreSQL instance has the log_min_duration_statement flag set to -1",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "Description": "Ensure that the Log_min_duration_statement Flag for a Cloud SQL PostgreSQL Instance Is Set to -1",
-  "Risk": "The log_min_duration_statement flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that log_min_duration_statement is disabled, i.e., a value of -1 is set.",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL for PostgreSQL** evaluates whether `log_min_duration_statement` is set to `-1`, disabling **statement duration logging**.",
+  "Risk": "When duration-based statement logging is enabled, logs can capture full SQL with literals, exposing **confidential data** in log stores. Adversaries or over-privileged users could harvest secrets/PII, profile schemas, and support **lateral movement**. Heavy logging can also raise costs and impact availability under load.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/configure-log-min-error-statement-flag.html",
+    "https://cloud.google.com/sql/docs/postgres/flags"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch INSTANCE_NAME --database-flags log_min_duration_statement=-1",
+      "CLI": "gcloud sql instances patch <example_resource_id> --database-flags=log_min_duration_statement=-1",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/configure-log-min-error-statement-flag.html",
-      "Terraform": ""
+      "Other": "1. In Google Cloud Console, go to SQL > Instances\n2. Select your PostgreSQL instance\n3. Click Edit\n4. In Database flags, add or edit log_min_duration_statement and set it to -1\n5. Click Save (the instance may restart)",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_id>\"\n  region           = \"<region>\"\n  database_version = \"POSTGRES_14\"\n\n  settings {\n    tier = \"<tier>\"\n    # Critical: set to -1 to pass the check\n    database_flags {\n      name  = \"log_min_duration_statement\"  # Critical\n      value = \"-1\"                          # Critical\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Logging SQL statements may include sensitive information that should not be recorded in logs. This recommendation is applicable to PostgreSQL database instances.",
-      "Url": "https://cloud.google.com/sql/docs/postgres/flags"
+      "Text": "Keep `log_min_duration_statement` at `-1` in production to avoid writing sensitive query text to logs. Apply **least privilege** to log access, enforce **data minimization** with redaction and short retention. *If troubleshooting is required*, enable narrowly and temporarily, prefer non-prod, and monitor access.",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_postgres_log_min_duration_statement_flag"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_error_statement_flag/cloudsql_instance_postgres_log_min_error_statement_flag.metadata.json

@@ -1,29 +1,35 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_postgres_log_min_error_statement_flag",
-  "CheckTitle": "Ensure that the Log_min_error_statement Flag for a Cloud SQL PostgreSQL Instance Is Set Appropriately",
+  "CheckTitle": "Cloud SQL for PostgreSQL instance has log_min_error_statement set to error",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "Description": "Ensure that the Log_min_error_statement Flag for a Cloud SQL PostgreSQL Instance Is Set Appropriately",
-  "Risk": "The log_min_error_statement flag defines the minimum message severity level that are considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. Each severity level includes the subsequent levels mentioned above. Ensure a value of ERROR or stricter is set.",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL for PostgreSQL** uses the `log_min_error_statement` flag and expects it set to `error`, the severity threshold that controls when SQL text is logged with error messages.",
+  "Risk": "An incorrect threshold skews visibility and exposure:\n- Lower than `error`: logs excessive SQL, risking **confidentiality** loss and alert noise (monitoring availability).\n- Higher than `error`: omits query context for real errors, weakening audit trail **integrity** and incident response.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/configure-log-min-error-statement-flag.html",
+    "https://cloud.google.com/sql/docs/postgres/flags"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch INSTANCE_NAME --database-flags log_min_error_statement=error",
+      "CLI": "gcloud sql instances patch <example_resource_name> --database-flags=log_min_error_statement=error",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/configure-log-min-error-statement-flag.html",
-      "Terraform": ""
+      "Other": "1. In Google Cloud Console, go to Cloud SQL > Instances and open your PostgreSQL instance\n2. Click Edit\n3. In Database flags, click Add item, select log_min_error_statement, set value to error\n4. Click Save (the instance will restart)",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  database_version = \"POSTGRES_14\"\n  region           = \"us-central1\"\n\n  settings {\n    tier = \"db-custom-2-7680\"\n    database_flags {\n      name  = \"log_min_error_statement\"  # critical: requires minimum 'error' level\n      value = \"error\"                     # sets the flag to pass the check\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Auditing helps in troubleshooting operational problems and also permits forensic analysis. If log_min_error_statement is not set to the correct value, messages may not be classified as error messages appropriately. Considering general log messages as error messages would make is difficult to find actual errors and considering only stricter severity levels as error messages may skip actual errors to log their SQL statements. The log_min_error_statement flag should be set to ERROR or stricter.",
-      "Url": "https://cloud.google.com/sql/docs/postgres/flags"
+      "Text": "Set `log_min_error_statement` to `error` to balance insight and exposure. Enforce a **logging policy** that limits sensitive data in queries and supports **defense in depth**. Periodically review severity and retention to match workload and compliance needs and maintain reliable forensic readiness.",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_postgres_log_min_error_statement_flag"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_messages_flag/cloudsql_instance_postgres_log_min_messages_flag.metadata.json

@@ -1,29 +1,35 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_postgres_log_min_messages_flag",
-  "CheckTitle": "Ensure that the Log_min_messages Flag for a Cloud SQL PostgreSQL Instance Is Set Appropriately",
+  "CheckTitle": "Cloud SQL PostgreSQL instance has the log_min_messages flag set to WARNING or higher",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "Description": "Ensure that the Log_min_messages Flag for a Cloud SQL PostgreSQL Instance Is Set Appropriately",
-  "Risk": "Auditing helps in troubleshooting operational problems and also permits forensic analysis. If log_min_messages is not set to the correct value, messages may not be classified as error messages appropriately. An organization will need to decide their own threshold for logging log_min_messages flag.",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL for PostgreSQL** instances are evaluated for the `log_min_messages` flag being set to a sufficiently high severity. Instances with the flag missing or set below `ERROR` (e.g., `DEBUG*`, `INFO`, `NOTICE`) are identified.",
+  "Risk": "Insufficient `log_min_messages` severity degrades **audit log integrity**, causing real failures to be treated as non-errors or lack context. This delays detection and impairs **forensics**, enabling unnoticed data tampering or repeated faulty operations, impacting the **integrity** and **availability** of the service.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.prowler.com/checks/gcp/cloud-sql-policies/bc_gcp_sql_4#terraform",
+    "https://cloud.google.com/sql/docs/postgres/flags"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch INSTANCE_NAME --database-flags log_min_messages=warning",
+      "CLI": "gcloud sql instances patch <example_resource_name> --database-flags=log_min_messages=warning",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": "https://docs.prowler.com/checks/gcp/cloud-sql-policies/bc_gcp_sql_4#terraform"
+      "Other": "1. In Google Cloud Console, go to SQL and select your PostgreSQL instance\n2. Click Edit\n3. In Database flags, click Add item\n4. Choose log_min_messages and set value to warning\n5. Click Save and confirm the restart",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  region           = \"<example_region>\"\n  database_version = \"POSTGRES_14\"\n\n  settings {\n    tier = \"db-f1-micro\"\n\n    # Critical: sets the minimum PostgreSQL log level to WARNING (or higher) to pass the check\n    database_flags {\n      name  = \"log_min_messages\"  # sets the flag\n      value = \"warning\"            # acceptable level (WARNING or higher)\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "The log_min_messages flag defines the minimum message severity level that is considered as an error statement. Messages for error statements are logged with the SQL statement. Valid values include DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. Each severity level includes the subsequent levels mentioned above. ERROR is considered the best practice setting. Changes should only be made in accordance with the organization's logging policy.",
-      "Url": "https://cloud.google.com/sql/docs/postgres/flags"
+      "Text": "Set `log_min_messages` to **ERROR or stricter** to ensure error statements are captured with context. Align with centralized logging, retention, and review processes. Prefer **defense in depth** by preserving actionable error telemetry, while balancing verbosity and cost per your logging policy.",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_postgres_log_min_messages_flag"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_statement_flag/cloudsql_instance_postgres_log_statement_flag.metadata.json

@@ -1,29 +1,34 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_postgres_log_statement_flag",
-  "CheckTitle": "Ensure That the Log_statement Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately",
+  "CheckTitle": "Cloud SQL PostgreSQL instance has 'log_statement' flag set to 'ddl'",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "Description": "Ensure That the Log_statement Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately",
-  "Risk": "Auditing helps in forensic analysis. If log_statement is not set to the correct value, too many statements may be logged leading to issues in finding the relevant information from the logs, or too few statements may be logged with relevant information missing from the logs.",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL for PostgreSQL** instances have `log_statement` set to `ddl`, recording only data definition statements in server logs",
+  "Risk": "Missing `ddl` logging leaves schema changes untracked, undermining **integrity** and hindering investigations.\n\nExcessive logging (e.g., `all`) can inflate volumes, impair **availability**, raise costs, and leak sensitive values, harming **confidentiality**.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cloud.google.com/sql/docs/postgres/flags"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch INSTANCE_NAME --database-flags log_statement=ddl",
+      "CLI": "gcloud sql instances patch <example_resource_name> --database-flags=log_statement=ddl",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. In Google Cloud Console, go to SQL > Instances and open <example_resource_name>\n2. Click Edit\n3. In Database flags, click Add item\n4. Select log_statement and set value to ddl\n5. Click Save",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  region           = \"<region>\"\n  database_version = \"POSTGRES_14\"\n\n  settings {\n    tier = \"db-custom-2-7680\"\n\n    # Critical: sets PostgreSQL 'log_statement' to 'ddl' to pass the check\n    database_flags {\n      name  = \"log_statement\"   # required flag name\n      value = \"ddl\"             # required value\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "The value ddl logs all data definition statements. A value of 'ddl' is recommended unless otherwise directed by your organization's logging policy.",
-      "Url": "https://cloud.google.com/sql/docs/postgres/flags"
+      "Text": "Configure `log_statement` to `ddl` to capture schema changes without excessive noise. Apply **defense in depth**: use targeted auditing for data access, restrict and monitor log access with **least privilege**, and enforce log retention and rotation to protect availability.",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_postgres_log_statement_flag"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/gcp/services/cloudsql/cloudsql_instance_private_ip_assignment/cloudsql_instance_private_ip_assignment.metadata.json

@@ -1,29 +1,39 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_private_ip_assignment",
-  "CheckTitle": "Ensure Instance IP assignment is set to private",
+  "CheckTitle": "Cloud SQL instance has no public IP addresses",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "Description": "Ensure Instance IP assignment is set to private",
-  "Risk": "Instance addresses can be public IP or private IP. Public IP means that the instance is accessible through the public internet. In contrast, instances using only private IP are not accessible through the public internet, but are accessible through a Virtual Private Cloud (VPC). Limiting network access to your database will limit potential attacks.",
+  "Severity": "high",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "Cloud SQL instances are evaluated for IP assignment, highlighting instances that have any **public IP** instead of being restricted to **private IP** only.",
+  "Risk": "**Public database endpoints** expose services to Internet scanning, brute-force logins, and exploit attempts. A compromise can cause data exfiltration (**confidentiality**), unauthorized changes (**integrity**), and outages or DDoS impact (**availability**), while bypassing VPC isolation and enabling lateral movement.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cloud.google.com/sql/docs/mysql/configure-private-ip",
+    "https://medium.com/google-cloud/cloud-sql-with-private-ip-only-the-good-the-bad-and-the-ugly-de4ac23ce98a",
+    "https://github.com/gruntwork-io/terraform-google-sql/blob/master/examples/postgres-private-ip/main.tf",
+    "https://stackoverflow.com/questions/70625753/in-dataprep-how-to-create-connection-with-instance-of-sql-without-public-ip-on/71122701",
+    "https://docs.cloud.google.com/sql/docs/sqlserver/recommender-disable-public-ip",
+    "https://serverfault.com/questions/999967/how-to-connect-to-postgres-cloud-sql-without-public-ip-from-cloud-run"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "gcloud beta sql instances patch <example_resource_id> --project=<example_project_id> --network=projects/<example_project_id>/global/networks/<example_resource_name> --no-assign-ip",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. In Google Cloud Console, go to Cloud SQL and open <example_resource_id>\n2. Click Connections > Networking\n3. Uncheck Public IP\n4. Check Private IP and select your VPC network\n5. If prompted, click Set up connection to create private services access, then continue\n6. Click Save and wait for the instance to restart",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  region           = \"<example_region>\"\n  database_version = \"POSTGRES_14\"\n\n  settings {\n    tier = \"db-f1-micro\"\n\n    ip_configuration {\n      ipv4_enabled    = false  # Critical: disables public IP\n      private_network = \"projects/<example_project_id>/global/networks/<example_resource_name>\"  # Critical: enables private IP on the specified VPC\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Setting databases access only to private will reduce attack surface.",
-      "Url": "https://cloud.google.com/sql/docs/mysql/configure-private-ip"
+      "Text": "Use **private IP-only** connectivity for databases. Remove public IPs, segment access to required VPCs/subnets, and enforce **least privilege** with strong auth and TLS. For external access, use secure private channels (VPN/Interconnect) or a hardened bastion. Monitor connections as part of **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_private_ip_assignment"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/gcp/services/cloudsql/cloudsql_instance_public_access/cloudsql_instance_public_access.metadata.json

@@ -1,26 +1,30 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_public_access",
-  "CheckTitle": "Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses ",
+  "CheckTitle": "Cloud SQL instance does not allow 0.0.0.0/0 in authorized networks",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "DatabaseInstance",
-  "Description": "Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses ",
-  "Risk": "To minimize attack surface on a Database server instance, only trusted/known and required IP(s) should be white-listed to connect to it. An authorized network should not have IPs/networks configured to 0.0.0.0/0 which will allow access to the instance from anywhere in the world. Note that authorized networks apply only to instances with public IPs.",
+  "Severity": "critical",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL authorized networks** are checked for the open CIDR `0.0.0.0/0` on instances using a public IP.\n\nThe finding flags configurations where a catch-all entry exists instead of specific client ranges.",
+  "Risk": "Allowing `0.0.0.0/0` makes the database reachable from the Internet, degrading **confidentiality** and **availability**. Attackers can brute-force credentials, probe for vulnerable endpoints, exfiltrate data via unauthorized queries, and trigger resource exhaustion through automated scanning.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cloud.google.com/sql/docs/mysql/connection-org-policy",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/publicly-accessible-cloud-sql-instances.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch <INSTANCE_NAME> --authorized-networks=IP_ADDR1,IP_ADDR2...",
+      "CLI": "gcloud sql instances patch <INSTANCE_NAME> --authorized-networks=\"\"",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/publicly-accessible-cloud-sql-instances.html",
-      "Terraform": ""
+      "Other": "1. In Google Cloud Console, go to SQL > Instances and select your instance\n2. Open the Connections tab\n3. Under Authorized networks, delete the entry 0.0.0.0/0\n4. Click Save",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  database_version = \"<DATABASE_VERSION>\"\n\n  settings {\n    tier = \"<TIER>\"\n\n    ip_configuration {\n      authorized_networks {\n        value = \"<ALLOWED_CIDR>\" # Critical: remove 0.0.0.0/0; allow only specific CIDR to pass the check\n      }\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from public IP addresses.",
-      "Url": "https://cloud.google.com/sql/docs/mysql/connection-org-policy"
+      "Text": "Enforce **least privilege** network access:\n- Remove `0.0.0.0/0`; allow only trusted, fixed IP ranges\n- Prefer **private IP** or **Private Service Connect** with VPC controls\n- Use proxied access (Cloud SQL Auth Proxy) over direct public connections\n- Apply org policies to prevent broad allowlists",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_public_access"
     }
   },
   "Categories": [

prowler/providers/gcp/services/cloudsql/cloudsql_instance_public_ip/cloudsql_instance_public_ip.metadata.json

@@ -1,26 +1,36 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_public_ip",
-  "CheckTitle": "Check for Cloud SQL Database Instances with Public IPs",
+  "CheckTitle": "Cloud SQL database instance does not have a public IP address",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "Description": "Check for Cloud SQL Database Instances with Public IPs",
-  "Risk": "To lower the organization's attack surface, Cloud SQL databases should not have public IPs. Private IPs provide improved network security and lower latency for your application.",
-  "RelatedUrl": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/sql-database-instances-with-public-ips.html",
+  "Severity": "high",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL instances** are evaluated for exposure via **public IP addresses** instead of `private IP` connectivity within a VPC.\n\nInstances with an externally routable database endpoint are surfaced.",
+  "Risk": "**Public DB endpoints** expand attack surface:\n- Credential brute force and SQL injection threaten **confidentiality** and **integrity**\n- Internet DDoS reduces **availability**\n- Exposure bypasses VPC controls, easing **lateral movement** and data exfiltration",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/sql-database-instances-with-public-ips.html",
+    "https://cloud.google.com/sql/docs/mysql/configure-private-ip",
+    "https://github.com/paladincloud/ce/wiki/gcp-policy",
+    "https://docs.prowler.com/checks/gcp/cloud-sql-policies/bc_gcp_sql_11",
+    "https://groups.google.com/g/google-appengine/c/qx8TsP1R034",
+    "https://stackoverflow.com/questions/60207375/how-to-deploy-a-private-google-cloudsql-instance-assigning-exiting-vpc-network",
+    "https://docs.cloud.google.com/sql/docs/mysql/recommender-disable-public-ip",
+    "https://docs.prowler.com/checks/gcp/cloud-sql-policies/bc_gcp_sql_11#terraform"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch <MYSQL_INSTANCE> --project <PROJECT_ID> --network=<NETWORK_ID> --no-assign-ip",
+      "CLI": "gcloud beta sql instances patch <example_resource_id> --project=<example_resource_id> --network=projects/<example_resource_id>/global/networks/<example_resource_name> --no-assign-ip",
       "NativeIaC": "",
-      "Other": "https://docs.prowler.com/checks/gcp/cloud-sql-policies/bc_gcp_sql_11",
-      "Terraform": "https://docs.prowler.com/checks/gcp/cloud-sql-policies/bc_gcp_sql_11#terraform"
+      "Other": "1. In Google Cloud Console, go to Cloud SQL > Instances and select <example_resource_name>\n2. Open Connections > Networking\n3. Check Private IP and select the VPC network; if prompted, click Set up connection to create the private service connection\n4. Uncheck Public IP\n5. Click Save",
+      "Terraform": "```hcl\n# Cloud SQL instance without public IP\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  region           = \"<REGION>\"\n  database_version = \"MYSQL_8_0\"\n\n  settings {\n    tier = \"db-f1-micro\"\n    ip_configuration {\n      ipv4_enabled   = false  # Critical: disables public (IPv4) IP\n      private_network = \"projects/<example_project_id>/global/networks/<example_resource_name>\"  # Critical: ensures private IP via specified VPC\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "To lower the organization's attack surface, Cloud SQL databases should not have public IPs. Private IPs provide improved network security and lower latency for your application.",
-      "Url": "https://cloud.google.com/sql/docs/mysql/configure-private-ip"
+      "Text": "Prefer **private IP** and disable public endpoints. Access databases over VPC, VPN/Interconnect, or **Private Service Connect**. If `authorized networks` are required, restrict to specific sources-never `0.0.0.0/0`. Enforce **least privilege** IAM, use Cloud SQL connectors/proxy, and layer **defense in depth** with network controls and monitoring.",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_public_ip"
     }
   },
   "Categories": [

prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_contained_database_authentication_flag/cloudsql_instance_sqlserver_contained_database_authentication_flag.metadata.json

@@ -1,29 +1,39 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_sqlserver_contained_database_authentication_flag",
-  "CheckTitle": "Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off' ",
+  "CheckTitle": "Cloud SQL for SQL Server instance has 'contained database authentication' flag set to off",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "Description": "Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off' ",
-  "Risk": "A contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed. Users can connect to the database without authenticating a login at the Database Engine level. Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server. Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators. Most of the threats are related to the USER WITH PASSWORD authentication process, which moves the authentication boundary from the Database Engine level to the database level, hence this is recommended to disable this flag. This recommendation is applicable to SQL Server database instances.",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "Cloud SQL for SQL Server instances are evaluated for the **contained database authentication** setting. The check inspects the `contained database authentication` flag and expects its value to be `off`.",
+  "Risk": "Enabling contained authentication moves identity checks to the database, bypassing server-level logins and policies. This weakens centralized controls and auditing, enables password spraying on contained users, and can persist users across copies, increasing unauthorized data access and tampering risk to **confidentiality** and **integrity**.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/disable-contained-database-authentication-flag.html",
+    "https://www.cloudanix.com/docs/gcp/audit/gcpsqlmonitoring/rules/sql_contained_database_authentication_flag_remediation",
+    "https://docs.prowler.com/checks/gcp/cloud-sql-policies/bc_gcp_sql_10#terraform",
+    "https://guides.spectralops.io/docs/d9_gcp_vln_04",
+    "https://docs.prowler.com/checks/gcp/cloud-sql-policies/bc_gcp_sql_10/",
+    "https://cloud.google.com/sql/docs/sqlserver/flags"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch <INSTANCE_NAME> --database-flags contained database authentication=off",
+      "CLI": "gcloud sql instances patch <INSTANCE_NAME> --database-flags=\"contained database authentication\"=off",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/disable-contained-database-authentication-flag.html",
-      "Terraform": "https://docs.prowler.com/checks/gcp/cloud-sql-policies/bc_gcp_sql_10#terraform"
+      "Other": "1. In Google Cloud Console, go to Cloud SQL > Instances\n2. Open the SQL Server instance\n3. Click Edit\n4. In Database flags, add or edit: contained database authentication = Off\n5. Click Save (the instance may restart)",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  region           = \"<REGION>\"\n  database_version = \"SQLSERVER_2019_STANDARD\"\n\n  settings {\n    tier = \"<TIER>\"\n    database_flags {\n      name  = \"contained database authentication\" # critical: target flag\n      value = \"off\"                                # critical: disable contained DB auth\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended to set contained database authentication database flag for Cloud SQL on the SQL Server instance to off.",
-      "Url": "https://cloud.google.com/sql/docs/sqlserver/flags"
+      "Text": "Keep `contained database authentication` set to `off`. Centralize authentication and auditing at the server layer or via directory integration, and apply **least privilege**. Avoid `USER WITH PASSWORD` contained users. If containment is unavoidable, tightly scope usage, enforce strong credentials, and monitor login activity.",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_sqlserver_contained_database_authentication_flag"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag/cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag.metadata.json

@@ -1,29 +1,41 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag",
-  "CheckTitle": "Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'",
+  "CheckTitle": "Cloud SQL SQL Server instance has 'cross db ownership chaining' flag set to off",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "Description": "Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'",
-  "Risk": "Use the cross db ownership for chaining option to configure cross-database ownership chaining for an instance of Microsoft SQL Server. This server option allows you to control cross-database ownership chaining at the database level or to allow cross- database ownership chaining for all databases. Enabling cross db ownership is not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining and you are aware of the security implications of this setting.",
+  "Severity": "high",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL SQL Server** instances are evaluated for the `cross db ownership chaining` server flag. The finding identifies SQL Server instances where this flag isn't set to `off`, meaning cross-database ownership chaining is permitted.",
+  "Risk": "Allowing cross-database ownership chaining erodes database boundaries, impacting **confidentiality** and **integrity**. Users with privileges in one database can traverse ownership chains to access or modify objects in others, enabling **privilege escalation**, **lateral movement**, and unauthorized data exposure.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://hub.powerpipe.io/mods/turbot/gcp_compliance/controls/control.cis_v130_6_3_2",
+    "https://github.com/PaladinCloud/CE/wiki/GCP-Policy",
+    "https://www.cloudanix.com/misconfig/gcp/gcpsqlmonitoring",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/disable-cross-db-ownership-chaining-flag.html",
+    "https://guides.spectralops.io/docs/d9_gcp_vln_03",
+    "https://cloud.google.com/sql/docs/sqlserver/flags",
+    "https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform/gcp/sql_database_has_cross_db_ownership_chaining/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch INSTANCE_NAME --database-flags cross db ownership=off",
+      "CLI": "gcloud sql instances patch <example_resource_name> --database-flags '\"cross db ownership chaining\"=off'",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/disable-cross-db-ownership-chaining-flag.html",
-      "Terraform": ""
+      "Other": "1. In the Google Cloud Console, go to SQL > Instances\n2. Open the SQL Server instance (<example_resource_name>) and click Edit\n3. Scroll to Flags and click Add item (or edit if present)\n4. Select cross db ownership chaining and set value to off\n5. Click Save and restart if prompted",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  region           = \"<REGION>\"\n  database_version = \"SQLSERVER_2019_STANDARD\"\n\n  settings {\n    tier = \"<TIER>\"\n\n    # Critical: ensures the flag is OFF to pass the check\n    database_flags {\n      name  = \"cross db ownership chaining\"  # disables cross-database ownership chaining\n      value = \"off\"\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended to set cross db ownership chaining database flag for Cloud SQL SQL Server instance to off.",
-      "Url": "https://cloud.google.com/sql/docs/sqlserver/flags"
+      "Text": "Keep `cross db ownership chaining` set to `off` to maintain database isolation. Enforce **least privilege** with explicit per-database permissions and **separation of duties**. Prefer controlled execution patterns (e.g., signed modules) over implicit trusts, and periodically review flags and access. *This flag is deprecated-do not enable it.*",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access",
+    "trust-boundaries"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_external_scripts_enabled_flag/cloudsql_instance_sqlserver_external_scripts_enabled_flag.metadata.json

@@ -1,29 +1,36 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_sqlserver_external_scripts_enabled_flag",
-  "CheckTitle": "Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'",
+  "CheckTitle": "Cloud SQL SQL Server instance has 'external scripts enabled' flag set to 'off'",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "DatabaseInstance",
-  "Description": "Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'",
-  "Risk": "external scripts enabled enable the execution of scripts with certain remote language extensions. This property is OFF by default. When Advanced Analytics Services is installed, setup can optionally set this property to true. As the External Scripts Enabled feature allows scripts external to SQL such as files located in an R library to be executed, which could adversely affect the security of the system, hence this should be disabled.",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL for SQL Server** instances have the `external scripts enabled` database flag set to `off`",
+  "Risk": "Allowing **external scripts** lets SQL invoke language extensions (e.g., R/Python), enabling arbitrary code execution. This can cause data exfiltration (**confidentiality**), tampered query results (**integrity**), and resource exhaustion or service degradation (**availability**), and may facilitate lateral movement from the database layer.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.cloud.google.com/sql/docs/sqlserver/flags?hl=it",
+    "https://cloud.google.com/sql/docs/sqlserver/flags",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/disable-external-scripts-enabled-flag.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch INSTANCE_NAME --database-flags external scripts enabled=off",
+      "CLI": "gcloud sql instances patch <INSTANCE_NAME> --database-flags=\"external scripts enabled\"=off",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/disable-external-scripts-enabled-flag.html",
-      "Terraform": ""
+      "Other": "1. In Google Cloud Console, go to SQL > Instances and select the SQL Server instance\n2. Click Edit\n3. In the Flags section, add or locate \"external scripts enabled\"\n4. Set its value to Off\n5. Click Save to apply (the instance may restart)",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  region           = \"<REGION>\"\n  database_version = \"SQLSERVER_2019_STANDARD\"\n\n  settings {\n    tier = \"db-custom-2-7680\"\n\n    # Critical: disables external scripts on the SQL Server instance\n    database_flags {\n      name  = \"external scripts enabled\"  # sets the flag\n      value = \"off\"                        # required value to pass the check\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended to set external scripts enabled database flag for Cloud SQL SQL Server instance to off",
-      "Url": "https://cloud.google.com/sql/docs/sqlserver/flags"
+      "Text": "Keep `external scripts enabled` set to `off`. Apply **least privilege** and **defense in depth** by disabling code-execution features in the database. If analytics are required, use isolated instances, restrict outbound network access, and enforce change control and auditing to prevent misuse.",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_sqlserver_external_scripts_enabled_flag"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_remote_access_flag/cloudsql_instance_sqlserver_remote_access_flag.metadata.json

@@ -1,29 +1,38 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_sqlserver_remote_access_flag",
-  "CheckTitle": "Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'",
+  "CheckTitle": "Cloud SQL SQL Server instance has 'remote access' database flag set to 'off'",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "DatabaseInstance",
-  "Description": "Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'",
-  "Risk": "The remote access option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running. This default value for this option is 1. This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server. To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled. The Remote Access option controls the execution of local stored procedures on remote servers or remote stored procedures on local server. 'Remote access' functionality can be abused to launch a Denial-of- Service (DoS) attack on remote servers by off-loading query processing to a target, hence this should be disabled. This recommendation is applicable to SQL Server database instances.",
+  "Severity": "medium",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL for SQL Server** instances where the `remote access` database flag is `on`, allowing remote procedure calls between servers",
+  "Risk": "Enabling **remote procedure calls** expands exposure: untrusted servers can invoke stored procedures, leading to **data exfiltration** (confidentiality), unauthorized changes (**integrity**), and **DoS** via resource-heavy remote execution (**availability**). It can also enable lateral movement.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://avd.aquasec.com/misconfig/google/sql/sql-server-remote-access-flag-disabled/",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/disable-remote-access-flag.html",
+    "https://www.mssqltips.com/sqlservertip/2340/resolving-could-not-open-a-connection-to-sql-server-errors/",
+    "https://github.com/paladincloud/ce/wiki/gcp-policy",
+    "https://cloud.google.com/sql/docs/sqlserver/flags"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "gcloud sql instances patch <example_resource_name> --database-flags=\"remote access\"=off",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/disable-remote-access-flag.html",
-      "Terraform": ""
+      "Other": "1. In Google Cloud Console, go to Cloud SQL > Instances\n2. Open the SQL Server instance (<example_resource_name>) and click Edit\n3. Scroll to Database flags and click Add item\n4. Select \"remote access\" and set value to off\n5. Click Save and confirm the restart when prompted\n6. Verify under Overview > Database flags that \"remote access\" = off",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  database_version = \"SQLSERVER_2019_STANDARD\"\n  region           = \"<example_region>\"\n\n  settings {\n    tier = \"<example_tier>\"\n\n    # Critical: disables SQL Server remote access to pass the check\n    database_flags {\n      name  = \"remote access\"\n      value = \"off\"  # sets the flag to off\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended to set remote access database flag for Cloud SQL SQL Server instance to off.",
-      "Url": "https://cloud.google.com/sql/docs/sqlserver/flags"
+      "Text": "Set `remote access` to `off` to reduce the attack surface. Apply **least privilege** and **defense in depth**: avoid remote stored procedures; if business-required, allow only trusted peers, enforce strong authentication, audit calls, and monitor for abuse.",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_sqlserver_remote_access_flag"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "trust-boundaries"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_trace_flag/cloudsql_instance_sqlserver_trace_flag.metadata.json

@@ -1,29 +1,40 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_sqlserver_trace_flag",
-  "CheckTitle": "Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on' ",
+  "CheckTitle": "Cloud SQL for SQL Server instance has trace flag 3625 set to 'on'",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "Description": "Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on' ",
-  "Risk": "Microsoft SQL Trace Flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload. All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed. 3625(trace log) Limits the amount of information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'. Setting this in a Google Cloud flag for the instance allows for security through obscurity and prevents the disclosure of sensitive information, hence this is recommended to set this flag globally to on to prevent the flag having been left off, or changed by bad actors. This recommendation is applicable to SQL Server database instances.",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL for SQL Server** instances have the `3625 (trace flag)` database flag set to `on`",
+  "Risk": "Without `3625` enabled, SQL errors can reveal parameters and object names to non-admins, weakening **confidentiality** and aiding targeted **injection**, account enumeration, and data discovery. Leaked context helps craft exploits and pivot attacks, ultimately risking data integrity and availability.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/disable-3625-trace-flag.html",
+    "https://docs.datadoghq.com/security/default_rules/def-000-6vu/",
+    "https://learn.microsoft.com/en-us/sql/relational-databases/security/metadata-visibility-configuration?view=sql-server-ver17",
+    "https://www.patrickkeisler.com/2023/12/how-to-test-trace-flag-3625/",
+    "https://guides.spectralops.io/docs/d9_gcp_vln_08",
+    "https://cloud.google.com/sql/docs/sqlserver/flags",
+    "https://www.sqlservercentral.com/blogs/trace-flag-3625-follow-up"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch <INSTANCE_NAME> --database-flags 3625=on",
+      "CLI": "gcloud sql instances patch <INSTANCE_NAME> --database-flags=3625=on",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/disable-3625-trace-flag.html",
-      "Terraform": ""
+      "Other": "1. In Google Cloud Console, go to Cloud SQL > Instances and open <INSTANCE_NAME>\n2. Click Edit\n3. In Flags, click Add item\n4. Select 3625 (trace flag) and set value to on\n5. Click Save and confirm the restart",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  region           = \"<example_region>\"\n  database_version = \"SQLSERVER_2019_STANDARD\"\n\n  settings {\n    tier = \"<example_tier>\"\n\n    # Critical: enable SQL Server trace flag 3625\n    # This sets the flag to 'on' so the check passes\n    database_flags {\n      name  = \"3625\"\n      value = \"on\"\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended to set 3625 (trace flag) database flag for Cloud SQL SQL Server instance to on.",
-      "Url": "https://cloud.google.com/sql/docs/sqlserver/flags"
+      "Text": "Set trace flag `3625` to `on` for all SQL Server instances in Cloud SQL to limit error details for non-admins. Apply **least privilege**, practice **defense in depth** with application-level error handling, and centralize diagnostics in logs rather than returning verbose messages to clients.",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_sqlserver_trace_flag"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_user_connections_flag/cloudsql_instance_sqlserver_user_connections_flag.metadata.json

@@ -1,29 +1,36 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_sqlserver_user_connections_flag",
-  "CheckTitle": "Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value",
+  "CheckTitle": "Cloud SQL SQL Server instance has the 'user connections' database flag set to 0",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "Description": "Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value",
-  "Risk": "The user connections option specifies the maximum number of simultaneous user connections that are allowed on an instance of SQL Server. The actual number of user connections allowed also depends on the version of SQL Server that you are using, and also the limits of your application or applications and hardware. SQL Server allows a maximum of 32,767 user connections. Because user connections is by default a self- configuring value, with SQL Server adjusting the maximum number of user connections automatically as needed, up to the maximum value allowable. For example, if only 10 users are logged in, 10 user connection objects are allocated. In most cases, you do not have to change the value for this option. The default is 0, which means that the maximum (32,767) user connections are allowed. However if there is a number defined here that limits connections, SQL Server will not allow anymore above this limit. If the connections are at the limit, any new requests will be dropped, potentially causing lost data or outages for those using the database.",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL for SQL Server** instances are evaluated to ensure the `user connections` database flag is set to `0` (unlimited), avoiding any artificial cap on concurrent user sessions",
+  "Risk": "A capped `user connections` value can exhaust available sessions, causing login failures, aborted transactions, and timeouts. This reduces **availability**, can delay administrative access, and may lead to **integrity** issues from failed or inconsistent retries under load.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/configure-user-connection-flag.html",
+    "https://cloud.google.com/sql/docs/sqlserver/flags",
+    "https://www.mssqltips.com/sqlservertip/5766/managing-maximum-number-of-concurrent-connections-in-sql-server/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch INSTANCE_NAME --database-flags user connections=0",
+      "CLI": "gcloud sql instances patch <example_resource_name> --database-flags='\"user connections\"=0'",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/configure-user-connection-flag.html",
-      "Terraform": ""
+      "Other": "1. In Google Cloud Console, go to Cloud SQL > Instances\n2. Open the SQL Server instance <example_resource_name> and click Edit\n3. In Database flags, click Add item, select \"user connections\", set value to 0\n4. Click Save (the instance may restart)",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  region           = \"<region>\"\n  database_version = \"SQLSERVER_2019_STANDARD\"\n\n  settings {\n    tier = \"db-custom-1-3840\"\n\n    # Critical: ensure the 'user connections' flag is set to 0 to pass the check\n    database_flags {\n      name  = \"user connections\"  # Critical line: target flag\n      value = \"0\"                 # Critical line: set to 0\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended to check the user connections for a Cloud SQL SQL Server instance to ensure that it is not artificially limiting connections.",
-      "Url": "https://cloud.google.com/sql/docs/sqlserver/flags"
+      "Text": "Set `user connections` to `0` to prevent artificial limits. Preserve **availability** with **connection pooling**, controlled retries, and **capacity planning** based on peak usage. *If a cap is required*, size it with ample headroom, monitor connection counts, and review regularly.",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_sqlserver_user_connections_flag"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_user_options_flag/cloudsql_instance_sqlserver_user_options_flag.metadata.json

@@ -1,29 +1,35 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_sqlserver_user_options_flag",
-  "CheckTitle": "Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured",
+  "CheckTitle": "Cloud SQL for SQL Server instance does not have the 'user options' flag configured",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "Description": "Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured",
-  "Risk": "The user options option specifies global defaults for all users. A list of default query processing options is established for the duration of a user's work session. The user options option allows you to change the default values of the SET options (if the server's default settings are not appropriate). A user can override these defaults by using the SET statement. You can configure user options dynamically for new logins. After you change the setting of user options, new login sessions use the new setting, current login sessions are not affected.",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL for SQL Server** instances are evaluated for the `user options` database flag configured with any value.\n\nThis flag sets global defaults for session `SET` behaviors; the check identifies instances where this global override is present.",
+  "Risk": "Global `user options` changes affect all sessions, impacting **data integrity** and **availability**. Disabling safe **ANSI behaviors** or enabling **implicit transactions** can alter NULL comparisons and error handling, leading to inconsistent results, lock contention, and application failures, reducing predictability and complicating auditing.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/user-options-flag-not-configured.html",
+    "https://cloud.google.com/sql/docs/sqlserver/flags"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "gcloud sql instances patch <example_resource_name> --clear-database-flags",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/user-options-flag-not-configured.html",
-      "Terraform": ""
+      "Other": "1. In Google Cloud Console, go to Cloud SQL and open your SQL Server instance\n2. Click Edit\n3. In Database flags, locate 'user options' and click the X to remove it\n4. Click Save\n5. Allow the instance to restart to apply the change",
+      "Terraform": "```hcl\n# Cloud SQL for SQL Server instance with no 'user options' flag set\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  region           = \"<example_region>\"\n  database_version = \"SQLSERVER_2019_STANDARD\"\n\n  settings {\n    tier = \"db-custom-2-7680\"\n    # Remediation: Do NOT set a database_flags block for 'user options'\n    # This omission removes/unsets the 'user options' flag so the check passes.\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended that, user options database flag for Cloud SQL SQL Server instance should not be configured.",
-      "Url": "https://cloud.google.com/sql/docs/sqlserver/flags"
+      "Text": "Leave `user options` unset at the instance level; keep default behavior. Control `SET` options explicitly at session or database scope.\n\n- Enforce **least privilege** for flag management\n- Use **change control** and testing before rollout\n- Monitor for configuration drift as part of **defense in depth**",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_sqlserver_user_options_flag"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/gcp/services/cloudsql/cloudsql_instance_ssl_connections/cloudsql_instance_ssl_connections.metadata.json

@@ -1,29 +1,35 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_ssl_connections",
-  "CheckTitle": "Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL",
+  "CheckTitle": "Cloud SQL database instance requires SSL for all incoming connections",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "Description": "Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL",
-  "Risk": "SQL database connections if successfully trapped (MITM), can reveal sensitive data like credentials, database queries, query outputs etc. For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1, MySql generation 2 and SQL Server 2017 instances.",
+  "Severity": "high",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "Cloud SQL instances enforce **SSL/TLS-only connections**, rejecting plaintext traffic. The connection policy requires encryption for all clients (e.g., `ENCRYPTED_ONLY` or `TRUSTED_CLIENT_CERTIFICATE_REQUIRED`) instead of allowing both encrypted and unencrypted connections.",
+  "Risk": "Without enforced TLS, database traffic is exposed to interception.\n- **MITM** can read creds and query results (**confidentiality**)\n- Inject/alter statements to corrupt data (**integrity**)\n\nMixed modes cause accidental plaintext use on public or untrusted networks.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/enable-ssl-for-incoming-connections.html",
+    "https://cloud.google.com/sql/docs/postgres/configure-ssl-instance/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch <INSTANCE_NAME> --require-ssl",
+      "CLI": "gcloud sql instances patch <INSTANCE_NAME> --ssl-mode=ENCRYPTED_ONLY",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/enable-ssl-for-incoming-connections.html",
-      "Terraform": ""
+      "Other": "1. In Google Cloud Console, go to Cloud SQL > Instances\n2. Click your instance name\n3. Open Connections > Security tab\n4. Select \"Allow only SSL connections\"\n5. Click Save",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  region           = \"<region>\"\n  database_version = \"<database_version>\"\n\n  settings {\n    tier = \"<tier>\"\n    ip_configuration {\n      ssl_mode = \"ENCRYPTED_ONLY\" # Critical: only allow SSL/TLS-encrypted connections\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended to enforce all incoming connections to SQL database instance to use SSL.",
-      "Url": "https://cloud.google.com/sql/docs/postgres/configure-ssl-instance/"
+      "Text": "Require **TLS for all connections**. Prefer `TRUSTED_CLIENT_CERTIFICATE_REQUIRED` or use Cloud SQL Auth Proxy/Connectors for encrypted, authenticated channels.\n- Disallow mixed plaintext/SSL modes\n- Rotate and monitor certificates\n- Combine with **least privilege** and private access",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_ssl_connections"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""