Skip to main content

SQL Instance Configuration Changed

This alert occurs when Lacework detects change in the configuration settings of a cloud SQL instance.

Cloud SQL is a managed database service provided by Google Cloud that allows users to create, configure, and manage relational databases such as MySQL, PostgreSQL, and SQL Server in the cloud.

Related policy: LW_AT_SQL_52 SQL: Instance Configuration Changed

Why this alert is important

Changes to the configuration settings of a cloud SQL instance can introduce security vulnerabilities, such as exposing sensitive data or allowing unauthorized access to the database. Detecting changes to the configuration settings can help you identify and remediate security issues before they can be exploited.

Changes to the configuration settings can also impact the performance of a cloud SQL instance. For example, increasing the number of CPUs or memory allocated to an instance may improve its performance but also increase costs. Monitoring changes to the configuration settings can help you optimize the performance of your cloud SQL instances while balancing the costs.

Investigation

Follow these steps to investigate the alert:

  1. Review the Audit Logs to gain more information on who made the changes, when, and what changes were made. This information can help you identify the malicious change's source and determine the damage's extent.
  2. Check for any signs of unauthorized access to the cloud SQL instance. Look for unusual login patterns, unfamiliar IP addresses, or other signs of suspicious activity that may have led to unauthorized configuration changes.
  3. Check for malware on any systems or user accounts that have access to the cloud SQL instance. Malware can be used to steal credentials or compromise systems, leading to unauthorized changes to the configuration settings.
  4. Check for any signs of social engineering, such as phishing emails or phone calls that may have been used to obtain credentials or other sensitive information. Social engineering can be used to trick users into revealing their passwords or other information, which can then be used to make unauthorized changes to cloud SQL instances.

Resolution

If you have detected an unauthorized change to the configuration settings of a cloud SQL instance, take immediate action to resolve the issue, including:

  1. Revoke access to any users or service accounts that may have been responsible for the unauthorized change. This can help prevent further unauthorized access to the cloud SQL instance.
  2. Restore the configuration settings of the cloud SQL instance to their previous state. This can help mitigate any damage that the unauthorized change may have caused.
  3. Review your access controls for the cloud SQL instance to ensure they are properly configured. Consider implementing additional security measures, such as multi-factor authentication (MFA), to help prevent future unauthorized access.
  4. Conduct a post-incident review to identify gaps or weaknesses in your security controls and procedures. Use this information to update your security policies and procedures and improve your overall security posture.
  5. Educate your users on the importance of security and the potential risks of unauthorized access. Provide training on recognizing and avoiding social engineering attacks, such as phishing emails or phone calls.