Database health issues

Database Center aggregates and categorizes database health issues across the projects in your Google Cloud organization(s) into a single dashboard. Database Center uses data from your Google Cloud projects and Security Command Center to aggregate and categorize database health issues based on the resources in your Google Cloud organization. Some companies might have more than one organization.

In Database Center, resources are the clusters and virtual machines that handle your workloads. An individual resource is a named unit of compute or storage. For example, in Cloud SQL, an instance and a read replica are separate individual resources.

A database resource group refers to all cloud computing resources that serve a set of data. For example, in Cloud SQL, one database resource group includes a primary instance and all the read replica instances associated with it.

Health issue categories

To help you view the most important aspects of your database fleet health at a glance, Database Center organizes health issues into industry-standard categories including cost, performance and capacity, availability, data protection, security, and industry compliance.

A database health issue is any topic that you want to monitor to ensure that your fleet is healthy and that your applications are robust and secure.

You can customize which databases and health issues Database Center displays. When you customize health issues, your customizations only apply to your view of the organization. Health issue customizations are saved at the per-user level.

Health issue categories are described as follows:

Health issue category Description

Availability configuration

Availability issues track resource configurations that affect durability, fault tolerance, and downtime.

Cost

Cost issues help you optimize your database fleet for cost-saving opportunities.

Data protection

Data protection issues help you ensure the following:

  • Your data is properly backed up.
  • You store backups for a sufficient period of time.
  • There are no gaps in your overall data protection strategy.

Security

Security issues help you perform the following types of tasks:

  • Identify security misconfigurations and vulnerabilities.
  • Identify and address cyber security risks.
  • Detect threats to your Google Cloud database resources.
  • Monitor and manage regulatory compliance.

Industry compliance

Industry compliance issues help you ensure that the database resources in your organization are compliant with common industry standards. Database Center helps you monitor compliance for the following industry standards:

  • CIS Google Cloud Foundation 2.0
  • CIS Google Cloud Foundation 1.3
  • CIS Google Cloud Foundation 1.2
  • CIS Google Cloud Foundation 1.1
  • CIS Google Cloud Foundation 1.0
  • NIST 800-53
  • ISO-27001
  • PCI-DSS v3.2.1

Performance and capacity

Performance and capacity issues help you determine if your resource usage is putting your database performance at risk. These issues highlight the following:

  • Instances with high CPU or memory utilization.
  • Instances that are running low on storage capacity.
  • Databases with a large number of tables or high table utilization
  • Temporary tables affecting database performance

Other

Other issues include miscellaneous configurations that can help you with the following:

  • Query troubleshooting, like "query durations not logged"
  • Errors and logging scope, like "verbose error logging"
  • Settings related to connections and users, like "connection attempts not logged"

Health issue tiers

Supported health issues are in one of three tiers:

  1. Standard: included by default with Database Center
  2. Gemini: requires you to enable Gemini in Databases
  3. Security Command Center (SCC): requires you to enable the Security Command Center

Database Center doesn't check for issues that are dependent on Security Command Center (SCC) or Gemini in Databases unless you have the specific tiers enabled. If Security Command Center or Gemini in Databases aren't enabled, then all issue checks display as passing in the user interface.

For more information on how to enable the Gemini in Databases or Security Command Center tiers, see Set up Database Center.

Supported health issues

All available health issues are shown in the following table by default. To view health issues for a specific tier, database, or category use the Select tier, Select database, or Select category drop-downs. To clear all selections, click Clear all.


Category Issue Tier AlloyDB for PostgreSQL Cloud SQL for MySQL Cloud SQL for PostgreSQL Cloud SQL for SQL Server Spanner
Availability Resource not failover protected Standard
Data protection No automated backup policy Standard
Data protection Short backup retention Standard
Data protection Last backup failed Standard
Data protection Last backup older than 24h Standard
Industry compliance Violates CIS Google Cloud Foundation 2.0 SCC / Gemini
Industry compliance Violates CIS Google Cloud Foundation 1.3 SCC / Gemini
Industry compliance Violates CIS Google Cloud Foundation 1.2 SCC / Gemini
Industry compliance Violates CIS Google Cloud Foundation 1.1 SCC / Gemini
Industry compliance Violates CIS Google Cloud Foundation 1.0 SCC / Gemini
Industry compliance Violates NIST 800-53 SCC / Gemini
Industry compliance Violates ISO-27001 SCC / Gemini
Industry compliance Violates PCI-DSS v3.2.1 SCC / Gemini
Industry compliance Violates NIST 800-53 R5 SCC / Gemini
Industry compliance Violates NIST Cybersecurity Framework 1.0 SCC / Gemini
Industry compliance Violates ISO-27001 v2022 SCC / Gemini
Industry compliance Violates PCI-DSS v4.0 SCC / Gemini
Industry compliance Violates SOC2 v2017 SCC / Gemini
Industry compliance Violates Cloud Controls Matrix 4 SCC / Gemini
Industry compliance Violates CIS Critical Security Controls 8.0 SCC / Gemini
Industry compliance Violates HIPAA SCC / Gemini
Other Logs not optimized for troubleshooting SCC / Gemini
Other Query durations not logged SCC / Gemini
Other Error logging misconfigured for statement severity SCC / Gemini
Other Error logging misconfigured for message severity SCC / Gemini
Other Verbose error logging SCC / Gemini
Other User granted all permissions SCC / Gemini
Other Query lock waits not logged SCC / Gemini
Other Error logging misconfigured for statements SCC / Gemini
Other Query statistics logged SCC / Gemini
Other Excessive logging of client hostname SCC / Gemini
Other Excessive logging of parser statistics SCC / Gemini
Other Excessive logging of planner statistics SCC / Gemini
Other Not logging temporary files SCC / Gemini
Other Not logging only DDL statements SCC / Gemini
Other Logging query statement statistics SCC / Gemini
Other Concurrent connections max configured SCC / Gemini
Other User options configured SCC / Gemini
Other Connection attempts not logged SCC / Gemini
Other Disconnections not logged SCC / Gemini
Other Logging excessive statement info SCC / Gemini
Other Data exported to external Cloud Storage bucket SCC / Gemini
Other Data exported to public Cloud Storage bucket SCC / Gemini
Other Writes to user table by superuser SCC / Gemini
Security Public IP enabled Standard
Security Broad public IP range Standard
Security Unencrypted connections Standard
Security No root password SCC / Gemini
Security Weak root password SCC / Gemini
Security Encryption key not customer-managed SCC / Gemini
Security Contained database authentication not required SCC / Gemini
Security Exposed to external scripts SCC / Gemini
Security Exposed to local data loads SCC / Gemini
Security Exposed to remote access SCC / Gemini
Security Database names exposed SCC / Gemini
Security Sensitive trace info not masked SCC / Gemini
Security Auditing not enabled for important instance Standard
Security Server certificate expiring Standard
Security Violates policy restricting public IP Standard
Security Violates policy restricting authorized networks Standard
Security No password policy Standard
Cost Idle resource Gemini
Cost Overprovisioned resource Gemini
Performance and capacity Underprovisioned resource Standard
Performance and capacity High number of tables Standard (E+)
Performance and capacity High transaction ID utilization Standard (E+)
Performance and capacity Nearing or at storage capacity Standard
Performance and capacity High number of open tables Standard
Performance and capacity Connections burdening disk Standard (E+)
Performance and capacity Temp tables impacting performance Standard (E+)
Performance and capacity Transaction logs burdening disk Standard (E+)
Performance and capacity Nearing cluster quota limit Standard
Availability Not replicating across regions Standard

Security issues supported by Security Command Center pricing tiers

Security Command Center Standard tier supports the following health issues for Cloud SQL in Database Center:

  • Public IP enabled
  • Exposed to public access

Security Command Center Premium tier supports the following health issues in Database Center:

  • Industry compliance violations
  • Unencrypted connections
  • Databases not auditable
  • No password
  • Weak password
  • Encryption key not customer-managed
  • Server authentication not required
  • Exposed by ownership chaining
  • Exposed to external scripts
  • Exposed to local data loads
  • Logs not optimized for troubleshooting
  • Connection attempts not logged
  • Disconnections not logged
  • Query durations not logged
  • Verbose error logging
  • Error logging misconfigured for statements
  • Error logging misconfigured for statement severity
  • Error log misconfigured for message severity
  • Not logging only DDL statements
  • Exposed to remote access
  • Database names exposed
  • Sensitive trace info not masked

For more information, see Security Command Center pricing tiers.

What's next