Cloud SQL for SQL Server instance has trace flag 3625 set to 'on'
cloudsql_instance_sqlserver_trace_flag
Cloud SQL for SQL Server instances have the 3625 (trace flag) database flag set to on
Risk
Without 3625 enabled, SQL errors can reveal parameters and object names to non-admins, weakening confidentiality and aiding targeted injection, account enumeration, and data discovery. Leaked context helps craft exploits and pivot attacks, ultimately risking data integrity and availability.
prowler gcp --checks cloudsql_instance_sqlserver_trace_flag
Recommendation
Set trace flag 3625 to on for all SQL Server instances in Cloud SQL to limit error details for non-admins. Apply least privilege, practice defense in depth with application-level error handling, and centralize diagnostics in logs rather than returning verbose messages to clients.
Remediation
gcloud sql instances patch <INSTANCE_NAME> --database-flags=3625=on
- In Google Cloud Console, go to Cloud SQL > Instances and open <INSTANCE_NAME>
- Click Edit
- In Flags, click Add item
- Select 3625 (trace flag) and set value to on
- Click Save and confirm the restart
Source Code
Resource Type
sqladmin.googleapis.com/Instance