prowler-cloud
diff --git a/‎prowler/CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎prowler/CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎prowler/providers/gcp/services/cloudsql/cloudsql_instance_automated_backups/cloudsql_instance_automated_backups.metadata.json‎
Lines changed: 18 additions & 12 deletions b/‎prowler/providers/gcp/services/cloudsql/cloudsql_instance_automated_backups/cloudsql_instance_automated_backups.metadata.json‎
Lines changed: 18 additions & 12 deletions
diff --git a/‎prowler/providers/gcp/services/cloudsql/cloudsql_instance_mysql_local_infile_flag/cloudsql_instance_mysql_local_infile_flag.metadata.json‎
Lines changed: 17 additions & 12 deletions b/‎prowler/providers/gcp/services/cloudsql/cloudsql_instance_mysql_local_infile_flag/cloudsql_instance_mysql_local_infile_flag.metadata.json‎
Lines changed: 17 additions & 12 deletions
diff --git a/‎prowler/providers/gcp/services/cloudsql/cloudsql_instance_mysql_skip_show_database_flag/cloudsql_instance_mysql_skip_show_database_flag.metadata.json‎
Lines changed: 17 additions & 12 deletions b/‎prowler/providers/gcp/services/cloudsql/cloudsql_instance_mysql_skip_show_database_flag/cloudsql_instance_mysql_skip_show_database_flag.metadata.json‎
Lines changed: 17 additions & 12 deletions
diff --git a/‎prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_enable_pgaudit_flag/cloudsql_instance_postgres_enable_pgaudit_flag.metadata.json‎
Lines changed: 19 additions & 12 deletions b/‎prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_enable_pgaudit_flag/cloudsql_instance_postgres_enable_pgaudit_flag.metadata.json‎
Lines changed: 19 additions & 12 deletions
diff --git a/‎prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_connections_flag/cloudsql_instance_postgres_log_connections_flag.metadata.json‎
Lines changed: 16 additions & 11 deletions b/‎prowler/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_connections_flag/cloudsql_instance_postgres_log_connections_flag.metadata.json‎
Lines changed: 16 additions & 11 deletions
@@ -25,6 +25,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update GCP API Keys service metadata to new format [(#9637)](https://github.com/prowler-cloud/prowler/pull/9637)
 - Update GCP BigQuery service metadata to new format [(#9638)](https://github.com/prowler-cloud/prowler/pull/9638)
 - Update GCP Cloud Storage service metadata to new format [(#9640)](https://github.com/prowler-cloud/prowler/pull/9640)
+- Update GCP Cloud SQL service metadata to new format [(#9639)](https://github.com/prowler-cloud/prowler/pull/9639)
 
 ### 🔐 Security
 
 
@@ -1,30 +1,36 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_automated_backups",
-  "CheckTitle": "Ensure That Cloud SQL Database Instances Are Configured With Automated Backups",
+  "CheckTitle": "Cloud SQL database instance has automated backups configured",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "ResourceGroup": "database",
-  "Description": "Ensure That Cloud SQL Database Instances Are Configured With Automated Backups",
-  "Risk": "Backups provide a way to restore a Cloud SQL instance to recover lost data or recover from a problem with that instance. Automated backups need to be set for any instance that contains data that should be protected from loss or damage. This recommendation is applicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2 instances.",
+  "Severity": "high",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL instances** are checked for **automated backups** being configured to run on a schedule and support point-in-time recovery.",
+  "Risk": "Absent **automated backups**, unintended deletes, corruption, or ransomware can become irreversible. This degrades data **integrity** and **availability**, removes point-in-time recovery options, and widens `RPO`/`RTO`, causing prolonged outages and incomplete restoration after incidents or schema changes.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudSQL/enable-automated-backups.html",
+    "https://cloud.google.com/sql/docs/mysql/backup-recovery/backups",
+    "https://cloud.google.com/sql/docs/postgres/configure-ssl-instance/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch <INSTANCE_NAME> --backup-start-time <[HH:MM]>",
+      "CLI": "gcloud sql instances patch <INSTANCE_NAME> --backup-start-time <HH:MM>",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/enable-automated-backups.html",
-      "Terraform": ""
+      "Other": "1. In Google Cloud Console, go to Cloud SQL > Instances\n2. Click your instance name, then click Edit\n3. In the Backups section, enable Automated backups and set a Start time\n4. Click Save to apply",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_id>\"\n  database_version = \"POSTGRES_14\"\n  region           = \"<REGION>\"\n\n  settings {\n    tier = \"db-custom-1-3840\"\n\n    backup_configuration {\n      enabled    = true      # Critical: turns on automated backups\n      start_time = \"02:00\"  # Critical: required to enable backups and set start time\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended to have all SQL database instances set to enable automated backups.",
-      "Url": "https://cloud.google.com/sql/docs/postgres/configure-ssl-instance/"
+      "Text": "Enable **automated backups** on all Cloud SQL instances holding important data. Set retention and schedules to meet `RPO`/`RTO`, and enable point-in-time recovery. Apply **least privilege** to backup access, use **separation of duties**, consider cross-region resilience, and regularly test restores with monitoring and alerts for failures.",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_automated_backups"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "resilience"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
 
@@ -1,30 +1,35 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_mysql_local_infile_flag",
-  "CheckTitle": "Ensure That the Local_infile Database Flag for a Cloud SQL MySQL Instance Is Set to Off",
+  "CheckTitle": "Cloud SQL MySQL instance has the local_infile database flag set to off",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "ResourceGroup": "database",
-  "Description": "Ensure That the Local_infile Database Flag for a Cloud SQL MySQL Instance Is Set to Off",
-  "Risk": "The local_infile flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the local_infile setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.",
+  "Severity": "high",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL for MySQL** instances are evaluated for the `local_infile` database flag being explicitly set to `off`, disabling use of `LOAD DATA LOCAL`.\n\nInstances where `local_infile` is absent or not `off` are identified.",
+  "Risk": "With `local_infile` enabled, clients can send local files via `LOAD DATA LOCAL`. A stolen credential or SQL injection can coerce clients to leak files and mass-ingest unvetted data, compromising **confidentiality** and **integrity**, and aiding lateral movement through secrets imported into the database.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudSQL/disable-local-infile-flag.html",
+    "https://cloud.google.com/sql/docs/mysql/flags"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch INSTANCE_NAME --database-flags local_infile=off",
+      "CLI": "gcloud sql instances patch <INSTANCE_NAME> --database-flags=local_infile=off",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/disable-local-infile-flag.html",
-      "Terraform": "https://docs.prowler.com/checks/gcp/cloud-sql-policies/bc_gcp_sql_1#terraform"
+      "Other": "1. In Google Cloud Console, go to SQL\n2. Select the MySQL instance and click Edit\n3. In Database flags, add or locate \"local_infile\" and set it to Off\n4. Click Save to apply changes",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  database_version = \"MYSQL_8_0\"\n  region           = \"<example_region>\"\n\n  settings {\n    tier = \"<example_tier>\"\n    # Critical: disables LOCAL INFILE to pass the check\n    database_flags {\n      name  = \"local_infile\"  # sets the specific flag\n      value = \"off\"           # required value for compliance\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off.",
-      "Url": "https://cloud.google.com/sql/docs/mysql/flags"
+      "Text": "Keep `local_infile` set to `off`. Use governed import channels (e.g., controlled object storage imports) and enforce **least privilege** for bulk-loading. Apply **separation of duties** between ingestion and admin roles, validate file sources and formats, and monitor high-volume loads. *If ever needed, enable only briefly for vetted tasks.*",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_mysql_local_infile_flag"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
 
@@ -1,30 +1,35 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_mysql_skip_show_database_flag",
-  "CheckTitle": "Ensure Skip_show_database Database Flag for Cloud SQL MySQL Instance Is Set to On",
+  "CheckTitle": "Cloud SQL MySQL instance has skip_show_database flag set to on",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "ResourceGroup": "database",
-  "Description": "Ensure Skip_show_database Database Flag for Cloud SQL MySQL Instance Is Set to On",
-  "Risk": "'skip_show_database' database flag prevents people from using the SHOW DATABASES statement if they do not have the SHOW DATABASES privilege.",
+  "Severity": "low",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL MySQL** instances configure the `skip_show_database` database flag to `on`, limiting use of `SHOW DATABASES` to accounts with the `SHOW DATABASES` privilege.",
+  "Risk": "Without `skip_show_database` set to `on`, database names can be exposed to unprivileged users, reducing **confidentiality**. Attackers can perform schema **enumeration** and targeted probing, enabling **lateral movement** and privilege escalation against specific datasets.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudSQL/enable-skip-show-database-flag.html",
+    "https://cloud.google.com/sql/docs/mysql/flags"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch INSTANCE_NAME --database-flags skip_show_database=on",
+      "CLI": "gcloud sql instances patch <INSTANCE_NAME> --database-flags=skip_show_database=on",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/enable-skip-show-database-flag.html",
-      "Terraform": ""
+      "Other": "1. In Google Cloud Console, go to Cloud SQL > Instances\n2. Open your MySQL instance and click Edit\n3. Under Flags, click Add item, select skip_show_database, set value to ON\n4. Click Save",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  database_version = \"MYSQL_8_0\"\n  region           = \"<example_region>\"\n\n  settings {\n    tier = \"db-custom-1-3840\"\n\n    database_flags {\n      name  = \"skip_show_database\"   # Critical: enforce hiding databases from users without SHOW DATABASES privilege\n      value = \"on\"                   # Critical: set flag to 'on' to pass the check\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "It is recommended to set skip_show_database database flag for Cloud SQL Mysql instance to on.",
-      "Url": "https://cloud.google.com/sql/docs/mysql/flags"
+      "Text": "Set `skip_show_database` to `on` for all Cloud SQL MySQL instances. Enforce **least privilege** by granting `SHOW DATABASES` only when necessary and reviewing roles regularly. Use **defense in depth**: monitor access and admin actions, and plan changes in maintenance windows as flag updates may trigger restarts.",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_mysql_skip_show_database_flag"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
 
@@ -1,30 +1,37 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_postgres_enable_pgaudit_flag",
-  "CheckTitle": "Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging",
+  "CheckTitle": "Cloud SQL PostgreSQL instance has 'cloudsql.enable_pgaudit' flag set to 'on'",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "ResourceGroup": "database",
-  "Description": "Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging",
-  "Risk": "Ensure cloudsql.enable_pgaudit database flag for Cloud SQL PostgreSQL instance is set to on to allow for centralized logging.",
+  "Severity": "high",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL for PostgreSQL** instances are evaluated for the database flag `cloudsql.enable_pgaudit` being set to `on`",
+  "Risk": "Without `cloudsql.enable_pgaudit`, **database activity** lacks granular audit trails. Undetected reads/writes enable insider abuse, credential reuse, or SQL injection without evidence, harming **confidentiality** and **integrity**. Poor traceability slows incident response, forensics, and undermines compliance.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudSQL/postgre-sql-audit-flag.html",
+    "https://cloud.google.com/sql/docs/postgres/flags",
+    "https://cloud.google.com/sql/docs/postgres/pg-audit"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch INSTANCE_NAME --database-flags cloudsql.enable_pgaudit=On",
+      "CLI": "gcloud sql instances patch <example_resource_id> --database-flags cloudsql.enable_pgaudit=on",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/postgre-sql-audit-flag.html",
-      "Terraform": ""
+      "Other": "1. In Google Cloud Console, go to SQL\n2. Select your PostgreSQL instance and click Edit\n3. In Database flags, click Add item\n4. Set Flag to cloudsql.enable_pgaudit and Value to on\n5. Click Save and restart if prompted",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_id>\"\n  region           = \"us-central1\"\n  database_version = \"POSTGRES_14\"\n\n  settings {\n    tier = \"db-custom-1-3840\"\n    database_flags {\n      name  = \"cloudsql.enable_pgaudit\"  # Critical: enable pgAudit\n      value = \"on\"                        # Critical: set flag to 'on' to pass the check\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "As numerous other recommendations in this section consist of turning on flags for logging purposes, your organization will need a way to manage these logs. You may have a solution already in place. If you do not, consider installing and enabling the open source pgaudit extension within PostgreSQL and enabling its corresponding flag of cloudsql.enable_pgaudit. This flag and installing the extension enables database auditing in PostgreSQL through the open-source pgAudit extension. This extension provides detailed session and object logging to comply with government, financial, & ISO standards and provides auditing capabilities to mitigate threats by monitoring security events on the instance. Enabling the flag and settings later in this recommendation will send these logs to Google Logs Explorer so that you can access them in a central location.",
-      "Url": "https://cloud.google.com/sql/docs/postgres/flags"
+      "Text": "Enable `cloudsql.enable_pgaudit` and configure **pgAudit** to log required classes (e.g., `read`, `write`, `ddl`) under least privilege. Centralize logs, enforce retention and RBAC, and monitor with alerts. *Scope auditing to sensitive data to reduce noise and overhead, and review coverage regularly.*",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_postgres_enable_pgaudit_flag"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging",
+    "forensics-ready"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""
 
@@ -1,30 +1,35 @@
 {
   "Provider": "gcp",
   "CheckID": "cloudsql_instance_postgres_log_connections_flag",
-  "CheckTitle": "Ensure That the Log_connections Database Flag for Cloud SQL PostgreSQL Instance Is Set to On",
+  "CheckTitle": "Cloud SQL PostgreSQL instance has log_connections flag set to on",
   "CheckType": [],
   "ServiceName": "cloudsql",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "DatabaseInstance",
-  "ResourceGroup": "database",
-  "Description": "Ensure That the Log_connections Database Flag for Cloud SQL PostgreSQL Instance Is Set to On",
-  "Risk": "Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.",
+  "ResourceType": "sqladmin.googleapis.com/Instance",
+  "Description": "**Cloud SQL for PostgreSQL** instances have the `log_connections` flag set to `on`, causing the server to record every connection attempt and the result of client authentication.",
+  "Risk": "Without connection logs, unauthorized access attempts can go unnoticed. Attackers may brute-force or reuse credentials without audit evidence, enabling stealthy data access (**confidentiality**), changes via compromised accounts (**integrity**), and connection floods that impact service (**availability**).",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudSQL/enable-log-connections-flag.html",
+    "https://cloud.google.com/sql/docs/postgres/flags"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "gcloud sql instances patch INSTANCE_NAME --database-flags log_connections=on",
+      "CLI": "gcloud sql instances patch <INSTANCE_NAME> --database-flags=log_connections=on",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudSQL/enable-log-connections-flag.html",
-      "Terraform": "https://docs.prowler.com/checks/gcp/cloud-sql-policies/bc_gcp_sql_3#terraform"
+      "Other": "1. In Google Cloud Console, go to Cloud SQL > Instances\n2. Open your PostgreSQL instance and click Edit\n3. In Flags, click Add item, select log_connections, set value to on\n4. Click Save and confirm the restart",
+      "Terraform": "```hcl\nresource \"google_sql_database_instance\" \"<example_resource_name>\" {\n  name             = \"<example_resource_name>\"\n  database_version = \"POSTGRES_14\"\n  region           = \"<region>\"\n\n  settings {\n    tier = \"db-f1-micro\"\n\n    # Critical: enables connection logging to pass the check\n    database_flags {\n      name  = \"log_connections\"  # critical\n      value = \"on\"                # critical\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "PostgreSQL does not log attempted connections by default. Enabling the log_connections setting will create log entries for each attempted connection as well as successful completion of client authentication which can be useful in troubleshooting issues and to determine any unusual connection attempts to the server.",
-      "Url": "https://cloud.google.com/sql/docs/postgres/flags"
+      "Text": "Enable `log_connections`=`on` for all PostgreSQL instances.\n- Apply **defense in depth**: also capture disconnects and audit events\n- Centralize logs, retain them, and alert on anomalies\n- Enforce **least privilege** and strong authentication to reduce exposure and improve detection",
+      "Url": "https://hub.prowler.com/check/cloudsql_instance_postgres_log_connections_flag"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""