Ensure that MySql database instances do not allow root login from any Host

Using Command-line

Note: We haven't come across any setting provided by Google cloud console or gcloud utility to update host for a root user. Below remediation uses MySQL client binary to set the host for root user. Similarly, for PostgreSQL instance:

1. Login to MySql database instance from authorized network

mysql connect -u root [INSTANCE_ADRESS]

2. Set host for root user

```sql
UPDATE MySql.user SET Host=\[Host_name/IP\] WHERE User='root';

**Impact**

Only configured hosts will be able access MySQL database Instance with root privileges.

**Default Value**

By default, `root` access to MySql Database Instance is allowed for any Host. 

**References**

1. https://cloud.google.com/MySql/docs/MySql/create-manage-users

**Notes**

This recommendation is only applicable to MySQL database Instances. As of now for PostgreSQL, google cloud console/gcloud utility does not offer any relevant setting/option.

Apart from default `root` if there are any other database users with administrative privileges, those should be considered for this recommendation as well.

## Service-wide remediation

> **Recommended when many resources are affected:** fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

### Google Cloud
Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.

## Operational rollout

1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
3. Re-scan and track approved exceptions with an owner and expiry date.