Event Information

  • The v1.compute.targetSslProxies.delete event in GCP for Compute refers to the deletion of a target SSL proxy resource.
  • This event indicates that a target SSL proxy, which is responsible for terminating SSL/TLS connections for a specific target HTTPS proxy, has been deleted.
  • When this event occurs, any existing SSL certificates associated with the target SSL proxy will also be removed.

Examples

  • Unauthorized deletion of target SSL proxies: If security is impacted with v1.compute.targetSslProxies.delete in GCP for Compute, it could potentially allow unauthorized individuals to delete target SSL proxies. This could lead to disruption of secure communication between clients and backend services, potentially exposing sensitive data or allowing for man-in-the-middle attacks.

  • Misconfiguration leading to unintended deletion: If security is impacted with v1.compute.targetSslProxies.delete in GCP for Compute, misconfiguration of access controls or permissions could result in unintended deletion of target SSL proxies. This could lead to service disruptions, loss of availability, and potential security vulnerabilities.

  • Lack of audit trail and accountability: If security is impacted with v1.compute.targetSslProxies.delete in GCP for Compute, the lack of proper logging and monitoring could make it difficult to track and attribute the deletion of target SSL proxies. This can hinder incident response efforts, compromise forensic investigations, and make it challenging to enforce accountability for security incidents.

Remediation

Using Console

To remediate the issues mentioned in the previous response for GCP Compute using the GCP console, you can follow these step-by-step instructions:

  1. Restricting SSH access:

    • Go to the GCP Console and navigate to the Compute Engine section.
    • Select the instance for which you want to restrict SSH access.
    • Click on the “Edit” button at the top of the page.
    • Scroll down to the “Firewalls” section and click on “Add firewall rule”.
    • Provide a name for the firewall rule and set the “Targets” to “All instances in the network”.
    • In the “Source IP ranges” field, enter the IP range from which you want to allow SSH access (e.g., your organization’s IP range).
    • Set the “Protocols and ports” to allow SSH (port 22) traffic.
    • Click on the “Create” button to save the firewall rule.

  2. Enabling VPC Flow Logs:

    • Go to the GCP Console and navigate to the VPC Network section.
    • Select the VPC network for which you want to enable flow logs.
    • Click on the “Edit” button at the top of the page.
    • Scroll down to the “Flow logs” section and click on “Add flow log”.
    • Provide a name for the flow log and select the desired configuration options (e.g., sampling rate, metadata inclusion).
    • Choose the desired destination for the flow logs (e.g., Stackdriver Logging, Cloud Storage).
    • Click on the “Create” button to enable flow logs for the VPC network.

  3. Implementing IAM best practices:

    • Go to the GCP Console and navigate to the IAM & Admin section.
    • Select the project for which you want to implement IAM best practices.
    • Click on the “IAM” tab to view the IAM roles and permissions.
    • Review the existing IAM roles and identify any unnecessary or overly permissive roles.
    • Remove any unnecessary roles and adjust the permissions of existing roles to follow the principle of least privilege.
    • Consider creating custom IAM roles with specific permissions tailored to the needs of different users or groups.
    • Regularly review and audit the IAM roles and permissions to ensure they align with the organization’s security requirements.

Using CLI

  1. Enable VPC Flow Logs for GCP Compute instances:

    • Use the following command to enable VPC Flow Logs for a specific subnet: 
      gcloud compute networks subnets update [SUBNET_NAME] --enable-flow-logs

  2. Implement VPC Service Controls for GCP Compute instances:

    • Create a VPC Service Perimeter to restrict access to Compute instances: 
      gcloud access-context-manager perimeters create [PERIMETER_NAME] --resources=projects/[PROJECT_ID]/locations/[LOCATION]/subnetworks/[SUBNET_NAME] --restricted-services=compute.googleapis.com
    • Attach the VPC Service Perimeter to the project: 
      gcloud access-context-manager perimeters update [PERIMETER_NAME] --add-access-levels=[ACCESS_LEVEL_NAME] --add-ingress-policies=[INGRESS_POLICY_NAME]

  3. Implement Cloud Security Command Center (Cloud SCC) for GCP Compute instances:

    • Enable Cloud SCC for the project: 
      gcloud services enable securitycenter.googleapis.com
    • Create a new security source for Compute instances: 
      gcloud scc create-source [SOURCE_ID] --display-name=[DISPLAY_NAME] --source-type=google_cloud_platform --resource-name=//compute.googleapis.com/projects/[PROJECT_ID]
    • Verify that the security source is created successfully: 
      gcloud scc sources describe [SOURCE_ID]

Using Python

To remediate the issues mentioned in the previous response for GCP Compute using Python, you can use the following approaches:

  1. Enforce secure OS configurations:

    • Use the google-cloud-sdk library to retrieve the list of GCP Compute instances.
    • Iterate through each instance and check the OS configuration settings.
    • Use the googleapiclient library to update the instance settings and enforce secure configurations.
    • Example Python script: 
      from google.cloud import compute_v1

def enforce_secure_os_config(project_id):
    compute_client = compute_v1.InstancesClient()
    instances = compute_client.list(project=project_id)
    
    for instance in instances:
        # Check OS configuration settings
        if instance.os_config.secure_boot == False:
            # Update instance settings to enforce secure boot
            instance.os_config.secure_boot = True
            compute_client.update(project=project_id, instance=instance)

  2. Implement network security controls:

    • Use the google-cloud-sdk library to retrieve the list of GCP Compute instances.
    • Iterate through each instance and check the network security controls.
    • Use the googleapiclient library to update the instance settings and implement necessary network security controls.
    • Example Python script: 
      from google.cloud import compute_v1

def implement_network_security_controls(project_id):
    compute_client = compute_v1.InstancesClient()
    instances = compute_client.list(project=project_id)
    
    for instance in instances:
        # Check network security controls
        if instance.network_config.firewall_rules == []:
            # Add necessary firewall rules
            firewall_rule = compute_v1.FirewallRule(...)
            compute_client.insert(project=project_id, firewall_rule=firewall_rule)

  3. Enable logging and monitoring:

    • Use the google-cloud-sdk library to retrieve the list of GCP Compute instances.

    • Iterate through each instance and enable logging and monitoring.

    • Use the googleapiclient library to update the instance settings and enable necessary logging and monitoring.

    • Example Python script:

      from google.cloud import compute_v1

def enable_logging_and_monitoring(project_id):
    compute_client = compute_v1.InstancesClient()
    instances = compute_client.list(project=project_id)
    
    for instance in instances:
        # Enable logging and monitoring
        instance.logging_config.enable = True
        instance.monitoring_config.enable = True
        compute_client.update(project=project_id, instance=instance)