This page describes the AlloyDB password policy Recommender which helps you identify instances without a password policy, enforce strong passwords, and meet compliance requirements.
The AlloyDB password policy Recommender immediately detects instances that don't have an instance password policy enabled and provides insights and recommendations to improve your instance security.
Recommendations are generated daily.
Pricing
The AlloyDB password policy Recommender is available free of cost to all Google Cloud customers. For more information, see Recommender pricing .
Before you begin
Before you can view recommendations and insights, you must do the following:
-
Ensure that you enable the Recommender API .
-
To get the permissions to view and work with insights and recommendations, ensure that you have the required Identity and Access Management (IAM) roles .
Tasks Roles View recommendations One of these roles: recommender.alloydbViewer.Apply recommendations One of these roles: recommender.alloydbAdminoralloydb.admin.See Grant access to other users for more information.
List the recommendations
You can list the password policy recommendations
using the Google Cloud console, gcloud CLI
, or the Recommender API.
Console
To list password policy recommendations using the Google Cloud console, follow these steps:
-
In the Google Cloud console, go to the AlloyDB Clusterspage.
For more information, see Getting started with Recommendation Hub .
-
In the Securitycard, click No password policy.
-
Under the Resourcestable, select instances with the No password policyrecommendation.
gcloud CLI
To list password policy recommendations using gcloud CLI, run the gcloud recommender recommendations list
command as follows:
gcloud recommender recommendations list \ --project= PROJECT_ID \ --location= LOCATION \ --recommender=google.alloydb.instance.SecurityRecommender \ --filter=recommenderSubtype=ENABLE_INSTANCE_PASSWORD_POLICY
Replace the following:
- PROJECT_ID : your project ID.
- LOCATION
: the region where your instances are located, such as
us-central1.
API
To list password policy recommendations using the Recommendations API
, call the recommendations.list
method as follows:
GET https://recommender.googleapis.com/v1beta1/projects/ PROJECT_ID /locations/ LOCATION /recommenders/google.alloydb.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=ENABLE_INSTANCE_PASSWORD_POLICY
Replace the following:
- PROJECT_ID : your project ID.
- LOCATION
: the region where your instances are located, such as
us-central1.
View insights and detailed recommendations
You can view insights and detailed recommendations about instances
that require enabling instance password policies using the Google Cloud console, gcloud CLI
, or the Recommender API.
Console
To view insights and detailed recommendations about instances that require enabling instance password policies, click the recommendation link in the list of instances on the Clusterspage.
gcloud CLI
To view insights and detailed recommendations about instances that require enabling instance password policies, run the gcloud recommender insights list
command as follows:
gcloud recommender insights list \ --project= PROJECT_ID \ --location= LOCATION \ --insight-type=google.alloydb.instance.SecurityInsight \ --filter=insightSubtype=INSTANCE_PASSWORD_POLICY_NOT_ENABLED
Replace the following:
- PROJECT_ID : your project ID.
- LOCATION
: a region where your instances are located, such as
us-central1.
API
To view insights and detailed recommendations about instances that require enabling instance password policies, using the Recommendations API
, call the insights.list
method as follows:
GET https://recommender.googleapis.com/v1/projects/ PROJECT_ID /locations/ LOCATION /insightTypes/google.alloydb.instance.SecurityInsight/insights?filter=insightSubtype=INSTANCE_PASSWORD_POLICY_NOT_ENABLED
Replace the following:
- PROJECT_ID : your project ID.
- LOCATION
: a region where your instances are located, such as
us-central1.
Apply the recommendation
To implement this recommendation, do the following:
- Click No password policyin the Issuescolumn.
- In the Enable password policywindow, click Edit instance.
- Set an instance password policy .
