Google CloudOverview
Ensure cloudsql.enable_pgaudit database flag for Cloud SQL PostgreSQL instance is set to on to allow for centralized logging
Rationale
As numerous other recommendations in this section consist of turning on flags for logging purposes, your organization will need a way to manage these logs. You may have a solution already in place. If you do not, consider installing and enabling the open source pgaudit extension within PostgreSQL and enabling its corresponding flag of cloudsql.enable_pgaudit. This flag and the installation of the extension enable database auditing in PostgreSQL through the open-source pgAudit extension. This extension provides detailed session and object logging to comply with government, financial, and ISO standards and provides auditing capabilities to mitigate threats by monitoring security events on the instance. Enabling the flag and settings later in this recommendation will send these logs to Google Logs Explorer so that you can access them in a central location. to This recommendation is applicable only to PostgreSQL database instances.
Impact
Enabling the pgAudit extension can lead to increased data storage requirements and to ensure durability of pgAudit log records in the event of unexpected storage issues, it is recommended to enable the Enable automatic storage increases setting on the instance. Enabling flags via the command line will also overwrite all existing flags, so you should apply all needed flags in the CLI command. Also flags may require a restart of the server to be implemented or will break existing functionality so update your servers at a time of low usage.
Remediation guidance
From Google Cloud Console
- Go to the
Cloud SQL Instancespage in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances - Select the PostgreSQL instance where the database flag needs to be enabled
- Click
EDIT - Scroll down to the
Flagssection - To set a flag that has not been set on the instance before, click
ADD A DATABASE FLAG, choose the flagcloudsql.enable_pgauditfrom the drop-down menu, and set its value toon - Click
SAVE - Confirm the changes under
Flagson theOverviewpage
Using Google Cloud CLI
Run the following command:
gcloud sql instances patch <instanceName> --database-flags cloudsql.enable_pgaudit=on,pgaudit.log=all
To determine if the logs are being sent to the Logs Explorer, navigate to Logs Explorer under Operations and, in the query box, paste the following:
resource.type="cloudsql_database" logName="projects//logs/cloudaudit.googleapis.com%2Fdata_access" protoPayload.request.@type="type.googleapis.com/google.cloud.sql.audit.v1.PgAuditEntry"
If it returns any log sources, they are correctly setup.
Default Value
By default cloudsql.enable_pgaudit is set to off, and the extension is not enabled.
References
- https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres
- https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag
- https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging
- https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable
Additional information
WARNING: This patch modifies database flag values, which may require the instance to be restarted. Check the list of supported flags https://cloud.google.com/sql/docs/postgres/flags - to see if your instance will be restarted when this patch is submitted.
Note: Configuring the cloudsql.enable_pgaudit database flag requires restarting the Cloud SQL PostgreSQL instance.
Multiple Remediation Paths
Google Cloud
SERVICE-WIDE (RECOMMENDED when many resources are affected): Enforce Organization Policies at org/folder level so new resources inherit secure defaults.
gcloud org-policies set-policy policy.yaml
ASSET-LEVEL: Use the product-specific remediation steps above for only the impacted project/resources.
PREVENTIVE: Use org policy constraints/custom constraints and enforce checks in deployment pipelines.
References for Service-Wide Patterns
- GCP Organization Policy overview: https://cloud.google.com/resource-manager/docs/organization-policy/overview
- GCP Organization policy constraints catalog: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
- gcloud org-policies: https://cloud.google.com/sdk/gcloud/reference/org-policies
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- Google Cloud: apply organization policy constraints at org/folder scope.
gcloud org-policies set-policy policy.yaml
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
Ensure 'cloudsql.enable_pgaudit' database flag for each Cloud Sql Postgresql instance is set to 'on' for centralized logging
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
engine: "postgresql"
cloudProvider: "gcp"
OR: [{ dbFlags_NONE: { name: "cloudsql.enable_pgaudit" }}, {dbFlags_SOME: {name: "cloudsql.enable_pgaudit", value: "off"}}]
}
) {
...AssetFragment
}
}
