Cloud CDN Global Backend Services Should Have Session Affinity

More Info:

Cloud CDN global backend services should have session affinity enabled.

Risk Level

Medium

Address

Operational Maturity, Performance Efficiency, Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Cloud CDN Global Backend Services Should Have Session Affinity” for GCP using GCP CLI, you can follow these steps:

Open the Cloud Shell in the GCP Console.
Run the following command to list all the backend services in your project:

gcloud compute backend-services list

Identify the backend service(s) that are used by your Cloud CDN.
Run the following command to update the backend service(s) and enable session affinity:

gcloud compute backend-services update [BACKEND_SERVICE_NAME] --session-affinity CLIENT_IP

Replace [BACKEND_SERVICE_NAME] with the name of the backend service you identified in step 3.

Verify that session affinity is enabled for the backend service(s) by running the following command:

gcloud compute backend-services describe [BACKEND_SERVICE_NAME] | grep sessionAffinity

This command should return the following output:

sessionAffinity: CLIENT_IP

This confirms that session affinity has been enabled for the backend service(s) used by your Cloud CDN.Note: Enabling session affinity may result in increased latency and decreased availability, depending on your workload. Therefore, it is important to evaluate the impact of this change before implementing it in a production environment.

Using Python

To remediate the misconfiguration “Cloud CDN Global Backend Services Should Have Session Affinity” for GCP using python, you can follow the below steps:

First, you need to authenticate with GCP using the below command:

from google.oauth2 import service_account
from googleapiclient.discovery import build

credentials = service_account.Credentials.from_service_account_file(
    'path/to/your/credentials.json'
)

service = build('compute', 'v1', credentials=credentials)

Next, you need to get the list of all global backend services using the below command:

project = 'your-project-id'
global_backend_services = service.backendServices().list(project=project).execute()

For each global backend service, you need to check if session affinity is enabled or not using the below command:

for service in global_backend_services['items']:
    service_name = service['name']
    service_info = service['sessionAffinitySettings']['affinityCookieTtlSec']
    if service_info == 0:
        print(f"Session affinity is not enabled for {service_name}")

If session affinity is not enabled for any global backend service, you can enable it using the below command:

for service in global_backend_services['items']:
    service_name = service['name']
    service_info = service['sessionAffinitySettings']['affinityCookieTtlSec']
    if service_info == 0:
        print(f"Enabling session affinity for {service_name}")
        body = {
            'sessionAffinitySettings': {
                'affinityType': 'GENERATED_COOKIE',
                'affinityCookieTtlSec': 3600
            }
        }
        service = service.backendServices().patch(
            project=project,
            backendService=service_name,
            body=body
        ).execute()

This will enable session affinity for all the global backend services which do not have it enabled.

Additional Reading:

https://cloud.google.com/load-balancing/docs/backend-service#session_affinity

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Cloud CDN Global Backend Services Should Have Session Affinity

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: