Cloud SQL for PostgreSQL instance has log_min_error_statement set to error
cloudsql_instance_postgres_log_min_error_statement_flag
Cloud SQL for PostgreSQL uses the log_min_error_statement flag and expects it set to error, the severity threshold that controls when SQL text is logged with error messages.
Risk
An incorrect threshold skews visibility and exposure:
- Lower than
error: logs excessive SQL, risking confidentiality loss and alert noise (monitoring availability). - Higher than
error: omits query context for real errors, weakening audit trail integrity and incident response.
prowler gcp --checks cloudsql_instance_postgres_log_min_error_statement_flag
Recommendation
Set log_min_error_statement to error to balance insight and exposure. Enforce a logging policy that limits sensitive data in queries and supports defense in depth. Periodically review severity and retention to match workload and compliance needs and maintain reliable forensic readiness.
Remediation
gcloud sql instances patch <example_resource_name> --database-flags=log_min_error_statement=error
- In Google Cloud Console, go to Cloud SQL > Instances and open your PostgreSQL instance
- Click Edit
- In Database flags, click Add item, select log_min_error_statement, set value to error
- Click Save (the instance will restart)
Source Code
Resource Type
sqladmin.googleapis.com/Instance