Ensure the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (Disabled)

From Google Cloud Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances
2. Select the PostgreSQL instance where the database flag needs to be enabled
3. Click EDIT
4. Scroll down to the Flags section
5. To set a flag that has not been set on the instance before, click ADD A DATABASE FLAG, choose the flag log_min_duration_statement from the drop-down menu, and set its value to -1
6. Click SAVE
7. Confirm the changes under Flags on the Overview page

Using Google Cloud CLI

Configure the log_min_duration_statement database flag for every Cloud SQL PostgreSQL database instance using the below command.

gcloud sql instances patch <instanceName> --database-flags log_min_duration_statement=-1

Note: This command will overwrite all database flags that were previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").

Default Value

By default log_min_duration_statement is -1.

References

1. https://cloud.google.com/sql/docs/postgres/flags
2. https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT

Additional information

WARNING: This patch modifies database flag values, which may require the instance to be restarted. Check the list of supported flags https://cloud.google.com/sql/docs/postgres/flags - to see if your instance will be restarted when this patch is submitted.

Note: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.

Note: Configuring the above flag restarts the Cloud SQL instance.

Multiple Remediation Paths

Google Cloud

SERVICE-WIDE (RECOMMENDED when many resources are affected): Enforce Organization Policies at org/folder level so new resources inherit secure defaults.

gcloud org-policies set-policy policy.yaml

ASSET-LEVEL: Use the product-specific remediation steps above for only the impacted project/resources.

PREVENTIVE: Use org policy constraints/custom constraints and enforce checks in deployment pipelines.

References for Service-Wide Patterns

• GCP Organization Policy overview: https://cloud.google.com/resource-manager/docs/organization-policy/overview
• GCP Organization policy constraints catalog: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
• gcloud org-policies: https://cloud.google.com/sdk/gcloud/reference/org-policies

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

• Google Cloud: apply organization policy constraints at org/folder scope.

gcloud org-policies set-policy policy.yaml

2. Remediate Existing Affected Assets

• Execute the control-specific Console/CLI steps documented above for each flagged resource.
• Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

• Re-scan after each remediation batch.
• Track exceptions with owner and expiry date.
• Add preventive checks in IaC/CI pipelines.