Google CloudOverview
It is recommended to set contained database authentication database flag for Cloud SQL SQL Server instance to off.
Rationale
A contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed. Users can connect to the database without authenticating a login at the Database Engine level. Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server. Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators. Most of the threats are related to the USER WITH PASSWORD authentication process, which moves the authentication boundary from the Database Engine level to the database level, hence this is recommended to disable this flag. This recommendation is applicable to SQL Server database instances.
Impact
When contained database authentication is off (0) for the instance, contained databases cannot be created, or attached to the Database Engine. Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase.Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.
Remediation guidance
From Google Cloud Console
- Go to the
Cloud SQL Instancespage in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances. - Select the MySQL instance where the database flag needs to be enabled
- Click
EDIT - Scroll down to the
Flagssection - To set a flag that has not been set on the instance before, click
ADD A DATABASE FLAG, choose the flagcontained database authenticationfrom the drop-down menu, and set its value tooff - Click
SAVE - Confirm the changes under
Flagson theOverviewpage
Using Google Cloud CLI
Configure the contained database authentication database flag for every Cloud SQL PostgreSQL database instance using the below command.
gcloud sql instances patch <instanceName> --database-flags "contained database authentication=off"
Note: This command will overwrite all database flags that were previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").
Default Value
As you have to manually turn on this flag, the default value for this is 'On'. Though you would have had to design your database schema from the start to include this feature, it often is not enabled.
References
- https://cloud.google.com/sql/docs/sqlserver/flags
- https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15
- https://learn.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15
Additional information
WARNING: This patch modifies database flag values, which may require the instance to be restarted. Check the list of supported flags https://cloud.google.com/sql/docs/mysql/flags - to see if your instance will be restarted when this patch is submitted.
Note: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.
Note: Configuring the above flag restarts the Cloud SQL instance.
Multiple Remediation Paths
Google Cloud
SERVICE-WIDE (RECOMMENDED when many resources are affected): Enforce Organization Policies at org/folder level so new resources inherit secure defaults.
gcloud org-policies set-policy policy.yaml
ASSET-LEVEL: Use the product-specific remediation steps above for only the impacted project/resources.
PREVENTIVE: Use org policy constraints/custom constraints and enforce checks in deployment pipelines.
References for Service-Wide Patterns
- GCP Organization Policy overview: https://cloud.google.com/resource-manager/docs/organization-policy/overview
- GCP Organization policy constraints catalog: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
- gcloud org-policies: https://cloud.google.com/sdk/gcloud/reference/org-policies
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- Google Cloud: apply organization policy constraints at org/folder scope.
gcloud org-policies set-policy policy.yaml
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
The 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
Connectors
Covered asset types
Expected check: eq []
{ cloudSqlInstances( where: { engine: "sqlserver" cloudProvider: "gcp" OR: [ { dbFlags_NONE: { name: "contained database authentication" } } { dbFlags_SOME: { name: "contained database authentication" value: "on" } } ] } ) { ...AssetFragment }}
