GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Cloud CDN Global Backend Services Should Have Session Affinity
More Info:
Cloud CDN global backend services should have session affinity enabled.
Risk Level
Medium
Address
Operational Maturity, Performance Efficiency, Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “Cloud CDN Global Backend Services Should Have Session Affinity” in GCP using GCP console, follow the below steps:
- Open the Google Cloud Console and select the project you want to work with.
- Go to the Navigation menu and select “Network Services” and then select “Cloud CDN”.
- In the Cloud CDN page, select the name of the backend service that you want to remediate.
- In the backend service page, click on the “Edit” button on the top of the page.
- In the “Edit backend service” page, scroll down to the “Session affinity” section.
- Select the “Client IP and protocol” option from the drop-down menu for “Session affinity”.
- Click on the “Save” button to save the changes.
By following the above steps, you have successfully remediated the misconfiguration “Cloud CDN Global Backend Services Should Have Session Affinity” in GCP using GCP console.
To remediate the misconfiguration “Cloud CDN Global Backend Services Should Have Session Affinity” for GCP using GCP CLI, you can follow these steps:
-
Open the Cloud Shell in the GCP Console.
-
Run the following command to list all the backend services in your project:
gcloud compute backend-services list
-
Identify the backend service(s) that are used by your Cloud CDN.
-
Run the following command to update the backend service(s) and enable session affinity:
gcloud compute backend-services update [BACKEND_SERVICE_NAME] --session-affinity CLIENT_IP
Replace [BACKEND_SERVICE_NAME] with the name of the backend service you identified in step 3.
- Verify that session affinity is enabled for the backend service(s) by running the following command:
gcloud compute backend-services describe [BACKEND_SERVICE_NAME] | grep sessionAffinity
This command should return the following output:
sessionAffinity: CLIENT_IP
This confirms that session affinity has been enabled for the backend service(s) used by your Cloud CDN.
Note: Enabling session affinity may result in increased latency and decreased availability, depending on your workload. Therefore, it is important to evaluate the impact of this change before implementing it in a production environment.
To remediate the misconfiguration “Cloud CDN Global Backend Services Should Have Session Affinity” for GCP using python, you can follow the below steps:
- First, you need to authenticate with GCP using the below command:
from google.oauth2 import service_account
from googleapiclient.discovery import build
credentials = service_account.Credentials.from_service_account_file(
'path/to/your/credentials.json'
)
service = build('compute', 'v1', credentials=credentials)
- Next, you need to get the list of all global backend services using the below command:
project = 'your-project-id'
global_backend_services = service.backendServices().list(project=project).execute()
- For each global backend service, you need to check if session affinity is enabled or not using the below command:
for service in global_backend_services['items']:
service_name = service['name']
service_info = service['sessionAffinitySettings']['affinityCookieTtlSec']
if service_info == 0:
print(f"Session affinity is not enabled for {service_name}")
- If session affinity is not enabled for any global backend service, you can enable it using the below command:
for service in global_backend_services['items']:
service_name = service['name']
service_info = service['sessionAffinitySettings']['affinityCookieTtlSec']
if service_info == 0:
print(f"Enabling session affinity for {service_name}")
body = {
'sessionAffinitySettings': {
'affinityType': 'GENERATED_COOKIE',
'affinityCookieTtlSec': 3600
}
}
service = service.backendServices().patch(
project=project,
backendService=service_name,
body=body
).execute()
This will enable session affinity for all the global backend services which do not have it enabled.