Other Articles
- Cloud SQL – Configure Private IP
- Cloud SQL – Monitor CPU Utilization
- Cloud SQL – Enable Deletion Protection
- Cloud SQL – Enable Disk Encryption
- Cloud SQL – Enable Automated Backups
- Cloud SQL – Enforce Password Validation
- Cloud SQL – Protect From Internet Access
- Cloud SQL – Enforce Secure Transport
- Compute Engine – Block Project-Wide SSH Keys
- Compute Engine – Disable IP Forwarding
- Compute Engine – Disable Public IP Addresses
- Compute Engine – Disable Serial Port Access
- Compute Engine – Enable Confidential Computing
- Compute Engine – Enable OS Login
- Compute Engine – Enable Shielded VM
- Compute Engine – Restrict Default Service Account
- General – Deny Public Access to KMS Keys
- General – Enforce Duties Separation
- General – Enforce KMS Key Rotation
- General – Restrict Admin Roles on Service Accounts
- Cloud Run – Configure Timeout Settings
- Cloud Storage – Enable Bucket Encryption
- Cloud Storage – Enable Bucket Logging
- Cloud Storage – Enable Bucket Versioning
- Cloud Storage – Enforce Uniform Bucket-Level Access
- Cloud Storage – Restrict Public Access
- IAM Users – Enforce GCP-Managed Keys
- IAM Users – Rotate External User-Managed Service Account Keys
Cloud SQL – Enable Log Export
This check ensures that log export is enabled for Cloud SQL instances. Exporting logs helps with monitoring, troubleshooting, auditing, and detecting suspicious or abnormal database activity.
Check Details
- Resource: Cloud SQL
- Check: Configure log export
- Risk: Without log export, database activity and errors are not centrally recorded, making it difficult to investigate incidents, monitor performance issues, or meet compliance and audit requirements.
Remediation via Google Cloud Console
-
Log in to the Google Cloud Console and navigate to
Cloud SQL.
- Click on the affected Cloud SQL instance.
-
Click Edit to modify the instance configuration.
- Scroll to the Logs section.
-
Enable log export for the required log types such as:
- Database logs
- Error logs
- Query logs (if applicable)
- Click Save to apply the changes.
Remediation via Google Cloud CLI
-
Open the Google Cloud Console and launch
Cloud Shell.
-
Enable log export for a Cloud SQL instance:
gcloud sql instances patch <INSTANCE_NAME> \ --enable-cloud-logging
Replace <INSTANCE_NAME> with your Cloud SQL instance name.
Once enabled, logs will be exported to Cloud Logging and can be viewed or routed
to other destinations such as BigQuery or Cloud Storage.
Default Value
By default, log export is not enabled for Cloud SQL instances. Database logs are not centrally available unless log export is explicitly configured.