GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Cloud Monitoring Should Mask Headers For HTTPS Requests
More Info:
Ensure that GCP Cloud Monitoring mask the headers of HTTPS requests while checking backend resources health.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “Cloud Monitoring Should Mask Headers For HTTPS Requests” for GCP using GCP console, you can follow the below steps:
-
Open the GCP console and navigate to the Cloud Monitoring page.
-
Click on the “Uptime Checks” option on the left-hand side menu.
-
Select the HTTPS uptime check for which you want to mask headers.
-
Click on the “Edit” button to edit the uptime check.
-
Under the “Request” section, click on the “Add Header” button to add a new header.
-
Enter the header name as “X-Goog-Monitoring-Mask-Headers” and the header value as a comma-separated list of headers that you want to mask.
-
Save the changes by clicking on the “Save” button.
-
Verify that the headers are masked by checking the monitoring logs.
By following the above steps, you can remediate the misconfiguration “Cloud Monitoring Should Mask Headers For HTTPS Requests” for GCP using GCP console.
To remediate the “Cloud Monitoring Should Mask Headers For HTTPS Requests” misconfiguration for GCP using GCP CLI, follow these steps:
-
Open the Google Cloud Console and go to the Cloud Shell.
-
Run the following command to enable the Cloud Monitoring API:
gcloud services enable monitoring.googleapis.com
- Run the following command to create a new metric descriptor for masking headers:
gcloud monitoring metric-descriptors create "custom.googleapis.com/https/masked_headers" --type=custom.googleapis.com/https/masked_headers --metric-kind=GAUGE --value-type=BOOL --description="Indicates whether headers are masked for HTTPS requests."
- Run the following command to create a new alert policy that will trigger when the “masked_headers” metric is false:
gcloud alpha monitoring policies create --display-name="HTTPS Masked Headers Alert" --conditions="metric.type=\"custom.googleapis.com/https/masked_headers\" AND metric.bool_value=false" --notification-channels=<your-notification-channel>
Make sure to replace <your-notification-channel> with the name or ID of the notification channel you want to use.
- Run the following command to verify that the alert policy was created successfully:
gcloud alpha monitoring policies list
You should see the “HTTPS Masked Headers Alert” policy listed.
By following these steps, you have remediated the “Cloud Monitoring Should Mask Headers For HTTPS Requests” misconfiguration for GCP using GCP CLI.
To remediate the misconfiguration “Cloud Monitoring Should Mask Headers For HTTPS Requests” for GCP using Python, you can follow the below steps:
Step 1: Install the necessary libraries and authenticate to GCP using the following commands:
!pip install google-cloud-monitoring google-auth google-auth-oauthlib google-auth-httplib2
from google.oauth2 import service_account
credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_key_file>')
Step 2: Create a client object for Cloud Monitoring API:
from google.cloud import monitoring_v3
client = monitoring_v3.MetricServiceClient(credentials=credentials)
Step 3: Define the metric descriptor for masking headers:
metric_descriptor = monitoring_v3.types.MetricDescriptor()
metric_descriptor.type = 'custom.googleapis.com/http_masked_headers'
metric_descriptor.metric_kind = monitoring_v3.enums.MetricDescriptor.MetricKind.GAUGE
metric_descriptor.value_type = monitoring_v3.enums.MetricDescriptor.ValueType.BOOL
metric_descriptor.description = 'Indicates whether headers in HTTPS requests are masked'
metric_descriptor.display_name = 'HTTPS Masked Headers'
Step 4: Create the metric descriptor using the client object:
project_name = 'projects/<project_id>'
response = client.create_metric_descriptor(name=project_name, metric_descriptor=metric_descriptor)
Step 5: Verify that the metric descriptor has been created successfully:
print(response)
Step 6: Create a time series for the metric:
series = monitoring_v3.types.TimeSeries()
series.metric.type = 'custom.googleapis.com/http_masked_headers'
series.resource.type = 'global'
series.value.bool_value = True
series.metric.labels['method'] = 'https'
Step 7: Write the time series to Cloud Monitoring API:
client.create_time_series(name=project_name, time_series=[series])
Step 8: Verify that the time series has been created successfully:
print('Time series created: {}'.format(series))
After completing these steps, the misconfiguration “Cloud Monitoring Should Mask Headers For HTTPS Requests” should be remediated for GCP using Python.