GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Cloud CDN Regional Urlmaps Should Accept Https Connections Only
More Info:
Cloud CDN regional url maps should be configured to block HTTP connection and allow only HTTPS connections.
Risk Level
High
Address
Security
Compliance Standards
GDPR, PCIDSS, NIST, HITRUST, SOC2, NISTCSF
Triage and Remediation
Remediation
To remediate this misconfiguration in GCP using GCP console, you can follow the below steps:
-
Open the GCP console and navigate to the Cloud CDN page.
-
Click on the name of the CDN you want to remediate.
-
Click on the “Url maps” tab.
-
Select the URL map which you want to remediate.
-
Click on the “Edit” button at the top of the page.
-
In the “Host and path rules” section, select the rule which you want to remediate.
-
In the “Backend service” section, click on the “Advanced” dropdown.
-
Under “Frontend protocol”, select “HTTPS only”.
-
Click on the “Save” button to save the changes.
-
Repeat steps 6-9 for all the rules in the URL map.
-
Verify that the CDN regional URL maps are now accepting HTTPS connections only by testing it.
By following these steps, you can remediate the misconfiguration of accepting HTTP connections in Cloud CDN regional URL maps in GCP using GCP console.
To remediate the Cloud CDN Regional Urlmaps to accept HTTPS connections only on GCP using GCP CLI, you can follow these steps:
-
Open the Cloud Shell in the GCP Console.
-
Run the following command to list all the existing Cloud CDN UrlMaps:
gcloud compute url-maps list
- Identify the name of the UrlMap that needs to be updated and run the following command to describe the details of the UrlMap:
gcloud compute url-maps describe [URL_MAP_NAME]
- Identify the name of the backend service associated with the UrlMap and run the following command to describe the details of the backend service:
gcloud compute backend-services describe [BACKEND_SERVICE_NAME]
- Identify the name of the health check associated with the backend service and run the following command to describe the details of the health check:
gcloud compute health-checks describe [HEALTH_CHECK_NAME]
- If the health check is not already configured to use HTTPS, update the health check to use HTTPS by running the following command:
gcloud compute health-checks update [HEALTH_CHECK_NAME] --use-https
- Update the UrlMap to accept HTTPS connections only by running the following command:
gcloud compute url-maps update [URL_MAP_NAME] --default-service [BACKEND_SERVICE_NAME] --ssl-policy=global-ssl-policy
Note: The global-ssl-policy is a built-in SSL policy that enforces HTTPS connections only.
- Verify that the changes have been applied by running the following command:
gcloud compute url-maps describe [URL_MAP_NAME]
The output should show that the sslPolicy is set to global-ssl-policy.
That’s it! You have successfully remediated the Cloud CDN Regional Urlmaps to accept HTTPS connections only on GCP using GCP CLI.
To remediate the misconfiguration of Cloud CDN Regional Urlmaps accepting only HTTPS connections in GCP using Python, you can follow the below steps:
- First, you need to install the Google Cloud SDK and authenticate to your GCP project using the command:
gcloud auth login
- Next, you need to install the required Python libraries using the command:
pip install google-cloud-cdn
- After that, you can use the following Python code to remediate the misconfiguration:
from google.cloud import cdn_v1beta1
from google.protobuf.field_mask_pb2 import FieldMask
client = cdn_v1beta1.UrlMapsClient()
# Replace [PROJECT_ID] with your GCP project ID
project_id = '[PROJECT_ID]'
# Replace [REGION] with the region where the urlmap is located
region = '[REGION]'
# Replace [URLMAP_NAME] with the name of the urlmap
urlmap_name = '[URLMAP_NAME]'
urlmap = client.get_url_map(request={'project_id': project_id, 'region': region, 'url_map': urlmap_name})
# Update the urlmap to accept only HTTPS connections
urlmap.default_url_redirect.https_redirect = True
# Update the urlmap using the FieldMask to only modify the https_redirect field
field_mask = FieldMask(paths=['default_url_redirect.https_redirect'])
client.update_url_map(request={'url_map': urlmap, 'update_mask': field_mask})
- Finally, you can run the above Python code to remediate the misconfiguration of Cloud CDN Regional Urlmaps accepting only HTTPS connections in GCP.
Note: You need to replace the placeholders [PROJECT_ID], [REGION], and [URLMAP_NAME] with your GCP project ID, the region where the urlmap is located, and the name of the urlmap, respectively.