Information Disclosure from Non-TLS Connections to Cloud SQL Instance in Terraform

High Risk Infrastructure Security
gcpcloud-sqltlsencryptiondatabase

What it is

Information disclosure via eavesdropping or MITM; attackers can read queries, data, and credentials over plaintext database traffic.

Why it happens

Not explicitly setting ssl_mode or require_ssl, leaving the instance accepting unencrypted connections by default.

Root causes

Default Permissive Configuration

Not explicitly setting ssl_mode or require_ssl, leaving the instance accepting unencrypted connections by default.

Development Convenience

Disabling TLS requirements during development for easier connection setup and forgetting to enable it for production.

Client Compatibility Concerns

Avoiding TLS enforcement due to concerns about older clients or applications not supporting SSL/TLS connections.

Fixes

1

Require Client Certificates

Set ssl_mode to 'TRUSTED_CLIENT_CERTIFICATE_REQUIRED' and require_ssl to true for the strongest protection.

2

Create SSL Certificates

Generate google_sql_ssl_cert resources for each client that needs to connect to the database.

3

Update Connection Strings

Configure all database clients to use SSL/TLS parameters with the appropriate certificates and server CA.

Detect This Vulnerability in Your Code

Sourcery automatically identifies information disclosure from non-tls connections to cloud sql instance in terraform and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities