GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Cloud CDN Global Backend Services Failover Policy Should Be Enabled
More Info:
Ensure Cloud CDN global backend services have failover policy enabled.
Risk Level
High
Address
Operational Maturity, Performance Efficiency, Reliability, Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “Cloud CDN Global Backend Services Failover Policy Should Be Enabled” in GCP, please follow the below steps:
- Login to the GCP console (https://console.cloud.google.com/).
- Go to the Cloud CDN page by navigating to the “Navigation menu > Network Services > Cloud CDN”.
- Select the CDN resource for which you want to enable the failover policy.
- Under the “Backend configuration” section, click on the “Edit” button.
- Scroll down to the “Failover policy” section and click on the “Add failover endpoint” button.
- Enter the details of the failover endpoint, such as the IP address, port, and protocol.
- Click on the “Save” button to save the changes.
With these steps, you have successfully enabled the failover policy for the selected CDN resource in GCP.
To remediate the misconfiguration “Cloud CDN Global Backend Services Failover Policy Should Be Enabled” for GCP using GCP CLI, follow the below steps:
-
Open the Google Cloud Console and select the project in which you want to remediate the misconfiguration.
-
Open the Cloud Shell by clicking on the icon on the top right corner of the console.
-
In the Cloud Shell, run the following command to list the existing backend services:
gcloud compute backend-services list
-
Identify the backend service that is associated with the Cloud CDN.
-
Run the following command to enable the failover policy for the identified backend service:
gcloud compute backend-services update [BACKEND_SERVICE_NAME] --global-backend-service --failover-policy=ENABLE
Replace [BACKEND_SERVICE_NAME] with the name of the identified backend service.
- Verify that the failover policy is enabled by running the following command:
gcloud compute backend-services describe [BACKEND_SERVICE_NAME] --global
This command will display the details of the backend service, including the failover policy status.
By following these steps, you can remediate the misconfiguration “Cloud CDN Global Backend Services Failover Policy Should Be Enabled” for GCP using GCP CLI.
To remediate the misconfiguration “Cloud CDN Global Backend Services Failover Policy Should Be Enabled” for GCP using Python, follow the below steps:
Step 1: Import the required libraries and authenticate to GCP.
from google.oauth2 import service_account
from googleapiclient.discovery import build
# Set the credentials path for GCP
credentials = service_account.Credentials.from_service_account_file('credentials.json')
# Authenticate to GCP
service = build('compute', 'v1', credentials=credentials)
Step 2: Get the list of global backend services.
# Get the list of global backend services
backend_services = service.backendServices().list(project='your-project-id').execute()
Step 3: Loop through the backend services and check if the failover policy is enabled. If not, enable it.
for backend_service in backend_services['items']:
# Check if failover policy is enabled
if 'failoverPolicy' not in backend_service:
# Enable failover policy
backend_service['failoverPolicy'] = {
'disableConnectionDrainOnFailover': False,
'dropTrafficIfUnhealthy': False,
'failoverRatio': 0.5,
'status': 'ENABLED'
}
# Update the backend service with the failover policy
service.backendServices().patch(project='your-project-id', backendService=backend_service['name'], body=backend_service).execute()
Step 4: Verify if the failover policy is enabled for all the global backend services.
# Get the list of global backend services after enabling failover policy
backend_services = service.backendServices().list(project='your-project-id').execute()
# Loop through the backend services and verify if failover policy is enabled
for backend_service in backend_services['items']:
if 'failoverPolicy' not in backend_service:
print(f"Failover policy is not enabled for {backend_service['name']}")
else:
print(f"Failover policy is enabled for {backend_service['name']}")
By following these steps, the misconfiguration “Cloud CDN Global Backend Services Failover Policy Should Be Enabled” can be remediated for GCP using Python.