Improve instance security by setting password policies

This page describes the AlloyDB password policy Recommender which helps you identify instances without a password policy, enforce strong passwords, and meet compliance requirements.

The AlloyDB password policy Recommender immediately detects instances that don't have an instance password policy enabled and provides insights and recommendations to improve your instance security.

Recommendations are generated daily.

Pricing

The AlloyDB password policy Recommender is available free of cost to all Google Cloud customers. For more information, see Recommender pricing.

Before you begin

Before you can view recommendations and insights, you must do the following:

List the recommendations

You can list the password policy recommendations using the Google Cloud console, gcloud CLI, or the Recommender API.

Console

To list password policy recommendations using the Google Cloud console, follow these steps:

  1. In the Google Cloud console, go to the AlloyDB Clusters page.

    Go to Clusters

    For more information, see Getting started with Recommendation Hub.

  2. In the Security card, click No password policy.

  3. Under the Resources table, select instances with the No password policy recommendation.

gcloud CLI

To list password policy recommendations using gcloud CLI, run the gcloud recommender recommendations list command as follows:

gcloud recommender recommendations list \
--project=PROJECT_ID \
--location=LOCATION \
--recommender=google.alloydb.instance.SecurityRecommender \
--filter=recommenderSubtype=ENABLE_INSTANCE_PASSWORD_POLICY

Replace the following:

  • PROJECT_ID: your project ID.
  • LOCATION: the region where your instances are located, such as us-central1.

API

To list password policy recommendations using the Recommendations API, call the recommendations.list method as follows:

GET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.alloydb.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=ENABLE_INSTANCE_PASSWORD_POLICY

Replace the following:

  • PROJECT_ID: your project ID.
  • LOCATION: the region where your instances are located, such as us-central1.

View insights and detailed recommendations

You can view insights and detailed recommendations about instances that require enabling instance password policies using the Google Cloud console, gcloud CLI, or the Recommender API.

Console

To view insights and detailed recommendations about instances that require enabling instance password policies, click the recommendation link in the list of instances on the Clusters page.

gcloud CLI

To view insights and detailed recommendations about instances that require enabling instance password policies, run the gcloud recommender insights list command as follows:

gcloud recommender insights list \
--project=PROJECT_ID \
--location=LOCATION \
--insight-type=google.alloydb.instance.SecurityInsight \
--filter=insightSubtype=INSTANCE_PASSWORD_POLICY_NOT_ENABLED

Replace the following:

  • PROJECT_ID: your project ID.
  • LOCATION: a region where your instances are located, such as us-central1.

API

To view insights and detailed recommendations about instances that require enabling instance password policies, using the Recommendations API, call the insights.list method as follows:

GET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.alloydb.instance.SecurityInsight/insights?filter=insightSubtype=INSTANCE_PASSWORD_POLICY_NOT_ENABLED

Replace the following:

  • PROJECT_ID: your project ID.
  • LOCATION: a region where your instances are located, such as us-central1.

Apply the recommendation

To implement this recommendation, do the following:

  1. Click No password policy in the Issues column.
  2. In the Enable password policy window, click Edit instance.
  3. Set an instance password policy.

What's next