This page describes how to view and implement recommendations about setting a password policy for instances that don't have an instance password policy enabled for built-in authentication users. Password policies help prevent the creation of weak passwords and help with compliance. This recommender is called Enable instance password policy.
Every day, this recommender proactively detects instances that don't have an instance password policy enabled and provides insights and recommendations to improve your instance security. You can view insights and detailed recommendations about these instances by using the Google Cloud console, gcloud CLI , or the Recommender API .
Before you begin
Ensure that you enable the Recommender API .
Required roles and permissions
To get the permissions to view and work with insights and recommendations, ensure that you have the required Identity and Access Management (IAM) roles .
| Tasks | Roles |
|---|---|
| View recommendations | recommender.cloudsqlViewer
or cloudsql.admin
. |
| Apply recommendations | cloudsql.editor
or cloudsql.admin
. |
List the recommendations
To list the recommendations, follow these steps:
Console
To list recommendations about instance security, follow these steps:
-
Go to the Cloud SQL Instancespage.
-
View the Issuescolumn in the instance table.
Alternatively, follow these steps:
-
Go to the Active Assist.
For more information, see Exploring recommendations .
-
In the All recommendationscard, click Security.
gcloud
Run the gcloud recommender recommendations list
command as follows:
gcloud recommender recommendations list \ --project= PROJECT_ID \ --location= LOCATION \ --recommender=google.cloudsql.instance.SecurityRecommender \ --filter=recommenderSubtype=ENABLE_INSTANCE_PASSWORD_POLICY
Replace the following:
- PROJECT_ID : Your project ID.
- LOCATION : A region where your instances are located, such as us-central1.
API
Call the recommendations.list
method as follows:
GET https://recommender.googleapis.com/v1beta1/projects/ PROJECT_ID /locations/ LOCATION /recommenders/google.cloudsql.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=ENABLE_INSTANCE_PASSWORD_POLICY
Replace the following:
- PROJECT_ID : Your project ID.
- LOCATION
: A region where your instances are located, such as
us-central1.
View insights and detailed recommendations
To view insights and detailed recommendations, follow these steps:
Console
After listing the recommendations, click a recommendation. The recommendation panel appears, which contains insights and detailed recommendations.
gcloud
Run the gcloud recommender insights list
command as follows:
gcloud recommender insights list \ --project= PROJECT_ID \ --location= LOCATION \ --insight-type=google.cloudsql.instance.SecurityInsight \ --filter=insightSubtype=INSTANCE_PASSWORD_POLICY_NOT_ENABLED
Replace the following:
- PROJECT_ID : Your project ID.
- LOCATION
: A region where your instances are located, such as
us-central1.
API
Call the insights.list
method as follows:
GET https://recommender.googleapis.com/v1beta1/projects/ PROJECT_ID /locations/ LOCATION /insightTypes/google.cloudsql.instance.SecurityInsight/insights?filter=insightSubtype=INSTANCE_PASSWORD_POLICY_NOT_ENABLED
Replace the following:
- PROJECT_ID : Your project ID.
- LOCATION
: A region where your instances are located, such as
us-central1.
Apply the recommendation
Console
To implement the recommendation, click Manage password policyand enable instance password policies on your instance.
gcloud
To implement the recommendation, enable instance password policies on your instance.
API
To implement the recommendation, enable instance password policies on your instance.
