Improve instance security by setting password policies
Stay organized with collections
Save and categorize content based on your preferences.
This page describes the AlloyDB password policy Recommender
which helps you identify instances without a password policy, enforce strong passwords, and meet compliance requirements.
The AlloyDB password policy Recommender immediately detects instances that don't
have an instance password policy enabled and provides insights and
recommendations to improve your instance security.
Recommendations are generated daily.
Pricing
The AlloyDB password policy Recommender
is available free of cost to all Google Cloud customers.
For more information, see Recommender pricing.
Before you begin
Before you can view recommendations and insights, you must do the following:
GET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.alloydb.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=ENABLE_INSTANCE_PASSWORD_POLICY
Replace the following:
PROJECT_ID: your project ID.
LOCATION: the region where your instances are located, such as us-central1.
View insights and detailed recommendations
You can view insights and detailed recommendations about instances
that require enabling instance password policies using the Google Cloud console,
gcloud CLI, or the Recommender API.
Console
To view insights and detailed recommendations about instances that require enabling instance password policies, click the recommendation link in the list of instances on the Clusters page.
gcloud CLI
To view insights and detailed recommendations about instances that require enabling instance password policies, run the
gcloud recommender insights list
command as follows:
LOCATION: a region where your instances are located, such as us-central1.
API
To view insights and detailed recommendations about instances that require enabling instance password policies, using the
Recommendations API, call the
insights.list
method as follows:
GET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.alloydb.instance.SecurityInsight/insights?filter=insightSubtype=INSTANCE_PASSWORD_POLICY_NOT_ENABLED
Replace the following:
PROJECT_ID: your project ID.
LOCATION: a region where your instances are located, such as us-central1.
Apply the recommendation
To implement this recommendation, do the following:
Click No password policy in the Issues column.
In the Enable password policy window, click Edit instance.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Improve instance security by setting password policies\n\nThis page describes the AlloyDB password policy [Recommender](/recommender/docs/overview)\nwhich helps you identify instances without a password policy, enforce strong passwords, and meet compliance requirements.\n\nThe AlloyDB password policy Recommender immediately detects instances that don't\nhave an instance password policy enabled and provides insights and\nrecommendations to improve your instance security.\n\nRecommendations are generated daily.\n\nPricing\n-------\n\nThe AlloyDB password policy Recommender\nis available free of cost to all Google Cloud customers.\nFor more information, see [Recommender pricing](/recommender/pricing).\n\nBefore you begin\n----------------\n\nBefore you can view recommendations and insights, you must do the following:\n\n- Ensure that you [enable the Recommender API](/recommender/docs/enabling).\n\n- To get the permissions to view and work with insights and recommendations,\n ensure that you have the required [Identity and Access Management (IAM) roles](/alloydb/docs/reference/iam-roles-permissions).\n\n \u003cbr /\u003e\n\n See [Grant access to other users](/alloydb/docs/user-grant-access) for more information.\n\nList the recommendations\n------------------------\n\nYou can list the password policy recommendations\nusing the Google Cloud console, `gcloud CLI`, or the Recommender API. \n\n### Console\n\nTo list password policy recommendations using the\nGoogle Cloud console, follow these steps:\n\n1. In the Google Cloud console, go to the AlloyDB **Clusters** page.\n\n [Go to Clusters](https://console.cloud.google.com/alloydb/clusters)\n\n For more information, see\n [Getting started with Recommendation Hub](/recommender/docs/recommendation-hub/identify-configuration-problems).\n2. In the **Security** card, click **No password policy**.\n\n3. Under the **Resources** table, select instances with the **No password policy** recommendation.\n\n### gcloud CLI\n\nTo list password policy recommendations using gcloud CLI, run the\n[`gcloud recommender recommendations list`](/sdk/gcloud/reference/recommender/recommendations/list)\ncommand as follows: \n\n```\ngcloud recommender recommendations list \\\n--project=PROJECT_ID \\\n--location=LOCATION \\\n--recommender=google.alloydb.instance.SecurityRecommender \\\n--filter=recommenderSubtype=ENABLE_INSTANCE_PASSWORD_POLICY\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the region where your instances are located, such as `us-central1`.\n\n### API\n\nTo list password policy recommendations using the\n[Recommendations API](/recommender/docs/using-api), call the\n[`recommendations.list`](/recommender/docs/reference/rest/v1/projects.locations.recommenders.recommendations/list)\nmethod as follows: \n\n```\nGET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.alloydb.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=ENABLE_INSTANCE_PASSWORD_POLICY\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the region where your instances are located, such as `us-central1`.\n\nView insights and detailed recommendations\n------------------------------------------\n\nYou can view insights and detailed recommendations about instances\nthat require enabling instance password policies using the Google Cloud console,\n`gcloud CLI`, or the Recommender API. \n\n### Console\n\nTo view insights and detailed recommendations about instances that require enabling instance password policies, click the recommendation link in the list of instances on the **Clusters** page.\n\n### gcloud CLI\n\nTo view insights and detailed recommendations about instances that require enabling instance password policies, run the\n[`gcloud recommender insights list`](/sdk/gcloud/reference/recommender/insights/list)\ncommand as follows: \n\n```\ngcloud recommender insights list \\\n--project=PROJECT_ID \\\n--location=LOCATION \\\n--insight-type=google.alloydb.instance.SecurityInsight \\\n--filter=insightSubtype=INSTANCE_PASSWORD_POLICY_NOT_ENABLED\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: a region where your instances are located, such as `us-central1`.\n\n### API\n\nTo view insights and detailed recommendations about instances that require enabling instance password policies, using the\n[Recommendations API](/recommender/docs/using-api), call the\n[`insights.list`](/recommender/docs/reference/rest/v1/projects.locations.insightTypes.insights/list)\nmethod as follows: \n\n```\nGET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.alloydb.instance.SecurityInsight/insights?filter=insightSubtype=INSTANCE_PASSWORD_POLICY_NOT_ENABLED\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: a region where your instances are located, such as `us-central1`.\n\nApply the recommendation\n------------------------\n\nTo implement this recommendation, do the following:\n\n1. Click **No password policy** in the **Issues** column.\n2. In the **Enable password policy** window, click **Edit instance**.\n3. [Set an instance password policy](/alloydb/docs/database-users/manage-password-policy#set-password-policy).\n\n| **Note:** You must carefully evaluate the recommendation before you update the instance. Applying recommendations impacts your pricing.\n\nWhat's next\n-----------\n\n- [Google Cloud recommenders](/recommender/docs/recommenders)"]]
