GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Cloud CDN Global Backend Services Should Use Secure Listeners Only
More Info:
Cloud CDN global backend services should use only the secure listeners. A listener is a process that checks for connection requests, using the protocol and port that you configure.
Risk Level
Medium
Address
Security
Compliance Standards
SOC2
Triage and Remediation
Remediation
To remediate the misconfiguration “Cloud CDN Global Backend Services Should Use Secure Listeners Only” in GCP using GCP console, you can follow the below steps:
-
Open the GCP console and navigate to the Cloud CDN page.
-
Select the Global Backend Services option from the left-hand menu.
-
Select the backend service that you want to configure for secure listeners.
-
Click on the Edit button at the top of the page.
-
Scroll down to the Protocol section and select HTTPS from the drop-down menu.
-
In the Certificate section, select the SSL certificate that you want to use for the secure listener.
-
Click on the Save button to save the changes.
-
Verify that the secure listener is configured correctly by testing the connection to the backend service using HTTPS.
By following these steps, you can successfully remediate the misconfiguration “Cloud CDN Global Backend Services Should Use Secure Listeners Only” in GCP using GCP console.
To remediate the misconfiguration “Cloud CDN Global Backend Services Should Use Secure Listeners Only” for GCP using GCP CLI, follow these steps:
-
Open the Google Cloud Console and select the project where the misconfiguration exists.
-
Open the Cloud Shell by clicking on the icon located at the top right corner of the console.
-
In the Cloud Shell, run the following command to list all the global backend services:
gcloud compute backend-services list
-
Identify the global backend service that needs to be remediated and note its name.
-
Run the following command to update the global backend service to use secure listeners only:
gcloud compute backend-services update <BACKEND_SERVICE_NAME> --global --enable-cdn-ssl
Replace <BACKEND_SERVICE_NAME>
with the name of the global backend service identified in step 4.
- Verify that the global backend service has been updated to use secure listeners only by running the following command:
gcloud compute backend-services describe <BACKEND_SERVICE_NAME> --global
This command will display the details of the global backend service, including its configuration.
- Repeat steps 4-6 for all the global backend services that need to be remediated.
By following these steps, you can remediate the misconfiguration “Cloud CDN Global Backend Services Should Use Secure Listeners Only” for GCP using GCP CLI.
To remediate the misconfiguration “Cloud CDN Global Backend Services Should Use Secure Listeners Only” for GCP using Python, you can follow these steps:
- Import the necessary libraries:
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials
- Authenticate and create a client object:
credentials = GoogleCredentials.get_application_default()
service = discovery.build('compute', 'v1', credentials=credentials)
- Get the list of backend services:
project = 'your-project-id'
zone = 'your-zone'
request = service.backendServices().list(project=project, zone=zone)
response = request.execute()
backend_services = response['items']
- Iterate through the list of backend services and update the backend service to use secure listeners only:
for backend_service in backend_services:
backend_service_name = backend_service['name']
backend_service_url_map = backend_service['backends'][0]['group']
request = service.backendServices().get(project=project, backendService=backend_service_name, zone=zone)
response = request.execute()
backend_service = response
if 'sslSettings' not in backend_service:
backend_service['sslSettings'] = {}
backend_service['sslSettings']['sslCertificates'] = []
backend_service['sslSettings']['customCertificateHeaders'] = []
backend_service['sslSettings']['backendServiceProtocol'] = 'HTTPS'
request = service.backendServices().update(project=project, backendService=backend_service_name, body=backend_service, zone=zone)
response = request.execute()
print(f"Backend service {backend_service_name} updated to use secure listeners only.")
This code will update all the backend services in the specified project and zone to use secure listeners only.