More Info:

Cloud CDN global url maps should be configured to block HTTP connection and allow only HTTPS connections.

Risk Level

High

Address

Security

Compliance Standards

GDPR, PCIDSS, NIST, HITRUST, NISTCSF, SOC2

Triage and Remediation

Remediation

Using Console

To remediate this misconfiguration for GCP using the GCP console, follow these steps:
  1. Open the GCP console and navigate to the Cloud CDN page.
  2. Select the Global URL Maps tab.
  3. Click on the name of the URL map that you want to modify.
  4. Click on the Edit button at the top of the page.
  5. In the Edit URL map page, scroll down to the Host and Path Rules section.
  6. Click on the Add Host and Path Rule button.
  7. In the new rule, set the Host to ”*” to match all hosts.
  8. Set the Path to ”/*” to match all paths.
  9. Set the Backend service to the appropriate backend service for your application.
  10. Under the Protocol section, select HTTPS from the dropdown menu.
  11. Click on the Save button to save the changes.
Once you have completed these steps, your Global URL Map will only accept HTTPS connections. Any HTTP connections will be rejected.

To remediate the misconfiguration of Cloud CDN Global Urlmaps accepting only HTTPS connections in GCP using GCP CLI, follow the below steps:Step 1: Open the Google Cloud Console and select the project where the Cloud CDN is configured.Step 2: Open the Cloud Shell by clicking on the icon in the top right corner of the console.Step 3: Run the following command to list all the existing URL maps in the project:
gcloud compute url-maps list
Step 4: Identify the URL map that needs to be remediated.Step 5: Run the following command to update the URL map to accept only HTTPS connections:
gcloud compute url-maps update [URL_MAP_NAME] --default-service [BACKEND_SERVICE_NAME] --ssl-policy=global-ssl-policy
Replace [URL_MAP_NAME] with the name of the URL map that needs to be updated and [BACKEND_SERVICE_NAME] with the name of the backend service associated with the URL map.Step 6: Verify that the URL map has been updated successfully by running the following command:
gcloud compute url-maps describe [URL_MAP_NAME]
This command should return the updated URL map configuration, which should include the “sslPolicy” field set to “global-ssl-policy”.By following these steps, you can remediate the misconfiguration of Cloud CDN Global Urlmaps accepting only HTTPS connections in GCP using GCP CLI.
To remediate the misconfiguration “Cloud CDN Global Urlmaps Should Accept Https Connections Only” for GCP using Python, you can follow the below steps:
  1. Install the required packages:
!pip install google-cloud-cdn
!pip install google-auth google-auth-oauthlib google-auth-httplib2
  1. Authenticate with GCP:
from google.oauth2 import service_account
from google.cloud import cdn_v1beta1

credentials = service_account.Credentials.from_service_account_file('path/to/service_account.json')
client = cdn_v1beta1.GlobalForwardingRulesClient(credentials=credentials)
  1. Get the list of existing global URL maps:
project_id = 'your-project-id'
location = 'global'

parent = f'projects/{project_id}/locations/{location}'
url_maps = client.list_url_maps(parent=parent)
  1. For each URL map, check if it has an HTTPS forwarding rule:
for url_map in url_maps:
    https_forwarding_rule = None
    for forwarding_rule in url_map.host_rules[0].path_matchers[0].route_rules[0].forward_action.https_redirect.action:
        if forwarding_rule.https_redirect:
            https_forwarding_rule = forwarding_rule
            break
    if not https_forwarding_rule:
        print(f'URL map "{url_map.name}" does not have an HTTPS forwarding rule')
  1. If a URL map does not have an HTTPS forwarding rule, update it:
for url_map in url_maps:
    https_forwarding_rule = None
    for forwarding_rule in url_map.host_rules[0].path_matchers[0].route_rules[0].forward_action.https_redirect.action:
        if forwarding_rule.https_redirect:
            https_forwarding_rule = forwarding_rule
            break
    if not https_forwarding_rule:
        url_map.host_rules[0].path_matchers[0].route_rules[0].forward_action.https_redirect.action.append(
                cdn_v1beta1.HttpsRedirectAction())
        client.update_url_map(url_map=url_map, update_mask=['host_rules.path_matchers.route_rules.forward_action.https_redirect.action'])
        print(f'URL map "{url_map.name}" has been updated to only accept HTTPS connections')
By following these steps, you can remediate the misconfiguration “Cloud CDN Global Urlmaps Should Accept Https Connections Only” for GCP using Python.

Additional Reading: