rspec/rules/S6403/description.adoc

By default, GCP SQL instances offer encryption in transit, with support for TLS, but insecure connections are still accepted. On an unsecured network, such as a public network, the risk of traffic being intercepted is high. When the data isn't encrypted, an attacker can intercept it and read confidential information.

When creating a GCP SQL instance, a public IP address is automatically assigned to it and connections to the SQL instance from public networks can be authorized.

TLS is automatically used when connecting to SQL instances through:

* The https://cloud.google.com/sql/docs/mysql/connect-admin-proxy[Cloud SQL Auth proxy].
* The https://cloud.google.com/sql/docs/mysql/connect-overview#languages[Java Socket Library].
* The built-in mechanisms in the https://cloud.google.com/appengine/docs[App Engine] environments.
Create rule S6403[terraform] Creating GCP SQL instances without requiring TLS is security-sensitive (#712) * Create rule S6403 * init s6403 * fixes after review * Add message for omitted attributes. (#844) * Add message for omitted attributes. * Update rules/S6403/message.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Add new source tags for code examples Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-02-22 11:01:40 +00:00			`By default, GCP SQL instances offer encryption in transit, with support for TLS, but insecure connections are still accepted. On an unsecured network, such as a public network, the risk of traffic being intercepted is high. When the data isn't encrypted, an attacker can intercept it and read confidential information.`

			`When creating a GCP SQL instance, a public IP address is automatically assigned to it and connections to the SQL instance from public networks can be authorized.`

			`TLS is automatically used when connecting to SQL instances through:`

			`* The https://cloud.google.com/sql/docs/mysql/connect-admin-proxy[Cloud SQL Auth proxy].`
			`* The https://cloud.google.com/sql/docs/mysql/connect-overview#languages[Java Socket Library].`
			`* The built-in mechanisms in the https://cloud.google.com/appengine/docs[App Engine] environments.`