Database Center aggregates and categorizes database health issues across the projects in your Google Cloud organization(s) into a single dashboard. Database Center uses data from your Google Cloud projects and Security Command Center to aggregate and categorize database health issues based on the resources in your Google Cloud organization. Some companies might have more than one organization.
In Database Center, resources are the clusters and virtual machines that handle your workloads. An individual resource is a named unit of compute or storage. For example, in Cloud SQL, an instance and a read replica are separate individual resources.
A database resource group refers to all cloud computing resources that serve a set of data. For example, in Cloud SQL, one database resource group includes a primary instance and all the read replica instances associated with it.
Health issue categories
To help you view the most important aspects of your database fleet health at a glance, Database Center organizes health issues into industry-standard categories including cost, performance and capacity, availability, data protection, security, and industry compliance.
A database health issue is any topic that you want to monitor to ensure that your fleet is healthy and that your applications are robust and secure.
You can customize which databases and health issues Database Center displays. When you customize health issues, your customizations only apply to your view of the organization. Health issue customizations are saved at the per-user level.
Health issue categories are described as follows:
Health issue category | Description |
---|---|
Availability configuration |
Availability issues track resource configurations that affect durability, fault tolerance, and downtime. |
Cost |
Cost issues help you optimize your database fleet for cost-saving opportunities. |
Data protection |
Data protection issues help you ensure the following:
|
Security |
Security issues help you perform the following types of tasks:
|
Industry compliance |
Industry compliance issues help you ensure that the database resources in your organization are compliant with common industry standards. Database Center helps you monitor compliance for the following industry standards:
|
Performance and capacity |
Performance and capacity issues help you determine if your resource usage is putting your database performance at risk. These issues highlight the following:
|
Other |
Other issues include miscellaneous configurations that can help you with the following:
|
Health issue tiers
Supported health issues are in one of three tiers:
- Standard: included by default with Database Center
- Gemini: requires you to enable Gemini in Databases
- Security Command Center (SCC): requires you to enable the Security Command Center
Database Center doesn't check for issues that are dependent on Security Command Center (SCC) or Gemini in Databases unless you have the specific tiers enabled. If Security Command Center or Gemini in Databases aren't enabled, then all issue checks display as passing in the user interface.
For more information on how to enable the Gemini in Databases or Security Command Center tiers, see Set up Database Center.
Supported health issues
All available health issues are shown in the following table by default. To view health issues for a specific tier, database, or category use the Select tier, Select database, or Select category drop-downs. To clear all selections, click Clear all.
Category | Issue | Tier | AlloyDB for PostgreSQL | Bigtable | Cloud SQL for MySQL | Cloud SQL for PostgreSQL | Cloud SQL for SQL Server | Firestore | Spanner |
---|---|---|---|---|---|---|---|---|---|
Availability | Resource not failover protected | Standard | ✔ | ✔ | ✔ | ✔ | ✔ | ||
Availability | Not replicating across regions | Standard | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | |
Cost | Idle resource | Gemini | ✔ | ✔ | ✔ | ||||
Cost | Overprovisioned resource | Gemini | ✔ | ✔ | ✔ | ||||
Data protection | No automated backup policy | Standard | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | |
Data protection | Short backup retention | Standard | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | |
Data protection | Last backup failed | Standard | ✔ | ✔ | ✔ | ✔ | ✔ | ||
Data protection | Last backup older than 24h | Standard | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | |
Industry compliance | Violates CIS Google Cloud Foundation 2.0 | SCC / Gemini | ✔ | ✔ | ✔ | ✔ | |||
Industry compliance | Violates CIS Google Cloud Foundation 1.3 | SCC / Gemini | ✔ | ✔ | ✔ | ||||
Industry compliance | Violates CIS Google Cloud Foundation 1.2 | SCC / Gemini | ✔ | ✔ | ✔ | ||||
Industry compliance | Violates CIS Google Cloud Foundation 1.1 | SCC / Gemini | ✔ | ✔ | ✔ | ||||
Industry compliance | Violates CIS Google Cloud Foundation 1.0 | SCC / Gemini | ✔ | ✔ | ✔ | ||||
Industry compliance | Violates NIST 800-53 | SCC / Gemini | ✔ | ✔ | ✔ | ✔ | |||
Industry compliance | Violates ISO-27001 | SCC / Gemini | ✔ | ✔ | ✔ | ✔ | |||
Industry compliance | Violates PCI-DSS v3.2.1 | SCC / Gemini | ✔ | ✔ | |||||
Industry compliance | Violates NIST 800-53 R5 | SCC / Gemini | ✔ | ✔ | ✔ | ||||
Industry compliance | Violates NIST Cybersecurity Framework 1.0 | SCC / Gemini | ✔ | ✔ | ✔ | ✔ | |||
Industry compliance | Violates ISO-27001 v2022 | SCC / Gemini | ✔ | ✔ | ✔ | ✔ | |||
Industry compliance | Violates PCI-DSS v4.0 | SCC / Gemini | ✔ | ✔ | ✔ | ✔ | |||
Industry compliance | Violates SOC2 v2017 | SCC / Gemini | ✔ | ✔ | ✔ | ✔ | |||
Industry compliance | Violates Cloud Controls Matrix 4 | SCC / Gemini | ✔ | ✔ | ✔ | ✔ | |||
Industry compliance | Violates CIS Critical Security Controls 8.0 | SCC / Gemini | ✔ | ✔ | ✔ | ||||
Industry compliance | Violates HIPAA | SCC / Gemini | ✔ | ✔ | ✔ | ||||
Other | Logs not optimized for troubleshooting | SCC / Gemini | ✔ | ||||||
Other | Query durations not logged | SCC / Gemini | ✔ | ||||||
Other | Error logging misconfigured for statement severity | SCC / Gemini | ✔ | ✔ | |||||
Other | Error logging misconfigured for message severity | SCC / Gemini | ✔ | ✔ | |||||
Other | Verbose error logging | SCC / Gemini | ✔ | ✔ | |||||
Other | User granted all permissions | SCC / Gemini | ✔ | ✔ | |||||
Other | Query lock waits not logged | SCC / Gemini | ✔ | ||||||
Other | Error logging misconfigured for statements | SCC / Gemini | ✔ | ||||||
Other | Query statistics logged | SCC / Gemini | ✔ | ||||||
Other | Excessive logging of client hostname | SCC / Gemini | ✔ | ||||||
Other | Excessive logging of parser statistics | SCC / Gemini | ✔ | ||||||
Other | Excessive logging of planner statistics | SCC / Gemini | ✔ | ||||||
Other | Not logging temporary files | SCC / Gemini | ✔ | ||||||
Other | Not logging only DDL statements | SCC / Gemini | ✔ | ||||||
Other | Logging query statement statistics | SCC / Gemini | ✔ | ||||||
Other | Concurrent connections max configured | SCC / Gemini | ✔ | ||||||
Other | User options configured | SCC / Gemini | ✔ | ||||||
Other | Connection attempts not logged | SCC / Gemini | ✔ | ||||||
Other | Disconnections not logged | SCC / Gemini | ✔ | ||||||
Other | Logging excessive statement info | SCC / Gemini | ✔ | ||||||
Other | Data exported to external Cloud Storage bucket | SCC / Gemini | ✔ | ✔ | ✔ | ||||
Other | Data exported to public Cloud Storage bucket | SCC / Gemini | ✔ | ✔ | ✔ | ||||
Other | Writes to user table by superuser | SCC / Gemini | ✔ | ✔ | ✔ | ||||
Security | Public IP enabled | Standard | ✔ | ✔ | ✔ | ||||
Security | Broad public IP range | Standard | ✔ | ✔ | ✔ | ||||
Security | Unencrypted connections | Standard | ✔ | ✔ | ✔ | ✔ | |||
Security | No root password | SCC / Gemini | ✔ | ||||||
Security | Weak root password | SCC / Gemini | ✔ | ✔ | ✔ | ✔ | |||
Security | Encryption key not customer-managed | SCC / Gemini | ✔ | ✔ | ✔ | ||||
Security | Contained database authentication not required | SCC / Gemini | ✔ | ||||||
Security | Exposed to external scripts | SCC / Gemini | ✔ | ||||||
Security | Exposed to local data loads | SCC / Gemini | ✔ | ||||||
Security | Exposed to remote access | SCC / Gemini | ✔ | ||||||
Security | Database names exposed | SCC / Gemini | ✔ | ||||||
Security | Sensitive trace info not masked | SCC / Gemini | ✔ | ||||||
Security | Auditing not enabled | Standard | ✔ | ✔ | ✔ | ✔ | |||
Security | Server certificate expiring | Standard | ✔ | ✔ | ✔ | ✔ | |||
Security | Violates policy restricting public IP | Standard | ✔ | ✔ | ✔ | ||||
Security | Violates policy restricting authorized networks | Standard | ✔ | ✔ | ✔ | ||||
Security | No password policy | Standard | ✔ | ✔ | ✔ | ||||
Performance and capacity | Underprovisioned resource | Standard | ✔ | ✔ | ✔ | ✔ | |||
Performance and capacity | High number of tables | Standard | ✔(E+) | ||||||
Performance and capacity | High transaction ID utilization | Standard | ✔(E+) | ||||||
Performance and capacity | Nearing or at storage capacity | Standard | ✔ | ✔ | ✔ | ✔ | |||
Performance and capacity | High number of open tables | Standard | ✔ | ||||||
Performance and capacity | Connections burdening disk | Standard | ✔(E+) | ||||||
Performance and capacity | Temp tables impacting performance | Standard | ✔(E+) | ||||||
Performance and capacity | Transaction logs burdening disk | Standard | ✔(E+) | ||||||
Performance and capacity | Nearing cluster quota limit | Standard | ✔ |
Security issues supported by Security Command Center pricing tiers
Security Command Center Standard tier supports the following health issues for Cloud SQL in Database Center:
- Public IP enabled
- Exposed to public access
Security Command Center Premium tier supports the following health issues in Database Center:
- Industry compliance violations
- Unencrypted connections
- Databases not auditable
- No password
- Weak password
- Encryption key not customer-managed
- Server authentication not required
- Exposed by ownership chaining
- Exposed to external scripts
- Exposed to local data loads
- Logs not optimized for troubleshooting
- Connection attempts not logged
- Disconnections not logged
- Query durations not logged
- Verbose error logging
- Error logging misconfigured for statements
- Error logging misconfigured for statement severity
- Error log misconfigured for message severity
- Not logging only DDL statements
- Exposed to remote access
- Database names exposed
- Sensitive trace info not masked
For more information, see Security Command Center pricing tiers.