Cyscale
Back to controls

Ensure 'cloudsql.enable_pgaudit' database flag for each Cloud SQL PostgreSQL instance is set to 'on' for centralized logging

Ensure `cloudsql.enable_pgaudit` database flag for Cloud SQL PostgreSQL instance is set to `on` to allow for centralized logging

Category

Controls

Low

Applies to

Google Cloud

Coverage

1 queries

Asset types

1 covered

Overview

Ensure cloudsql.enable_pgaudit database flag for Cloud SQL PostgreSQL instance is set to on to allow for centralized logging

Rationale

As numerous other recommendations in this section consist of turning on flags for logging purposes, your organization will need a way to manage these logs. You may have a solution already in place. If you do not, consider installing and enabling the open source pgaudit extension within PostgreSQL and enabling its corresponding flag of cloudsql.enable_pgaudit. This flag and the installation of the extension enable database auditing in PostgreSQL through the open-source pgAudit extension. This extension provides detailed session and object logging to comply with government, financial, and ISO standards and provides auditing capabilities to mitigate threats by monitoring security events on the instance. Enabling the flag and settings later in this recommendation will send these logs to Google Logs Explorer so that you can access them in a central location. to This recommendation is applicable only to PostgreSQL database instances.

Impact

Enabling the pgAudit extension can lead to increased data storage requirements and to ensure durability of pgAudit log records in the event of unexpected storage issues, it is recommended to enable the Enable automatic storage increases setting on the instance. Enabling flags via the command line will also overwrite all existing flags, so you should apply all needed flags in the CLI command. Also flags may require a restart of the server to be implemented or will break existing functionality so update your servers at a time of low usage.

Remediation guidance

From Google Cloud Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances
  2. Select the PostgreSQL instance where the database flag needs to be enabled
  3. Click EDIT
  4. Scroll down to the Flags section
  5. To set a flag that has not been set on the instance before, click ADD A DATABASE FLAG, choose the flag cloudsql.enable_pgaudit from the drop-down menu, and set its value to on
  6. Click SAVE
  7. Confirm the changes under Flags on the Overview page

Using Google Cloud CLI

Run the following command:

gcloud sql instances patch <instanceName> --database-flags cloudsql.enable_pgaudit=on,pgaudit.log=all

To determine if the logs are being sent to the Logs Explorer, navigate to Logs Explorer under Operations and, in the query box, paste the following:

resource.type="cloudsql_database" logName="projects//logs/cloudaudit.googleapis.com%2Fdata_access" protoPayload.request.@type="type.googleapis.com/google.cloud.sql.audit.v1.PgAuditEntry"

If it returns any log sources, they are correctly setup.

Default Value

By default cloudsql.enable_pgaudit is set to off, and the extension is not enabled.

References

  1. https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres
  2. https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag
  3. https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging
  4. https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable

Additional information

WARNING: This patch modifies database flag values, which may require the instance to be restarted. Check the list of supported flags https://cloud.google.com/sql/docs/postgres/flags - to see if your instance will be restarted when this patch is submitted.

Note: Configuring the cloudsql.enable_pgaudit database flag requires restarting the Cloud SQL PostgreSQL instance.

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Google Cloud

Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.

Operational rollout

  1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
  2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
  3. Re-scan and track approved exceptions with an owner and expiry date.

Query logic

These are the stored checks tied to this control.

Ensure 'cloudsql.enable_pgaudit' database flag for each Cloud Sql Postgresql instance is set to 'on' for centralized logging

Connectors

Google Cloud

Covered asset types

CloudSQLInstance

Expected check: eq []

{
  cloudSqlInstances(
    where: {
      engine: "postgresql"
      cloudProvider: "gcp"
      OR: [{ dbFlags_NONE: { name: "cloudsql.enable_pgaudit" }}, {dbFlags_SOME: {name: "cloudsql.enable_pgaudit", value: "off"}}]
     
    }
  ) {
     ...AssetFragment
  }
}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon