GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Cloud CDN Regional Backend Services Should Use Secure Listeners Only
More Info:
Cloud CDN regional backend services should use only the secure listeners. A listener is a process that checks for connection requests, using the protocol and port that you configure.
Risk Level
Medium
Address
Security
Compliance Standards
SOC2
Triage and Remediation
Remediation
To remediate the “Cloud CDN Regional Backend Services Should Use Secure Listeners Only” misconfiguration in GCP using the GCP console, please follow the below steps:
- Open the Google Cloud Console and select the project in which the Cloud CDN has been configured.
- In the left-hand side menu, click on “Cloud CDN”.
- In the Cloud CDN dashboard, click on the name of the CDN you want to modify.
- In the CDN details page, click on the “Backend configuration” tab.
- In the “Backend configuration” tab, click on the “Edit” button.
- In the “Edit backend configuration” page, scroll down to the “Backend service” section.
- In the “Backend service” section, click on the “Edit” button.
- In the “Edit backend service” page, scroll down to the “Protocol” section.
- In the “Protocol” section, select “HTTPS” from the drop-down list.
- In the same section, select the “Port number” as per your requirement.
- Click on the “Save” button to save the changes.
- Repeat steps 5-11 for all the backend services used by the CDN.
By following the above steps, you have successfully remediated the “Cloud CDN Regional Backend Services Should Use Secure Listeners Only” misconfiguration in GCP using the GCP console.
To remediate the misconfiguration “Cloud CDN Regional Backend Services Should Use Secure Listeners Only” for GCP using GCP CLI, you can follow the below steps:
-
Open the Cloud Shell in your GCP console.
-
Run the following command to list all the backend services in your project:
gcloud compute backend-services list
-
Identify the backend service that needs to be remediated and note down its name.
-
Run the following command to update the backend service and enable secure listeners:
gcloud compute backend-services update <BACKEND_SERVICE_NAME> --enable-cdn --protocol HTTPS --global
Replace
<BACKEND_SERVICE_NAME>
with the actual name of the backend service that needs to be remediated. -
Verify the configuration by running the following command:
gcloud compute backend-services describe <BACKEND_SERVICE_NAME> --global
This command will display the details of the backend service, including the protocol and port used for the secure listener.
-
Repeat the above steps for all the backend services in your project that need to be remediated.
By following the above steps, you can remediate the misconfiguration “Cloud CDN Regional Backend Services Should Use Secure Listeners Only” for GCP using GCP CLI.
To remediate the misconfiguration “Cloud CDN Regional Backend Services Should Use Secure Listeners Only” for GCP using Python, you can follow the below steps:
- Import the required libraries:
from googleapiclient.discovery import build
from google.oauth2 import service_account
- Set up the authentication using a service account:
credentials = service_account.Credentials.from_service_account_file(
'path/to/service_account.json')
- Build the Cloud CDN API client:
cdn = build('cdn', 'v1', credentials=credentials)
- Get the list of backend services using the
projects().global().backendServices().list()
method:
backend_services = cdn.projects().global().backendServices().list(
project='your-project-id').execute()
- Loop through each backend service and check if it has a secure listener:
for backend_service in backend_services['items']:
if '443' not in backend_service['port']:
# Update the backend service to use a secure listener
backend_service['port'].append('443')
cdn.projects().global().backendServices().update(
project='your-project-id',
backendService=backend_service['name'],
body=backend_service).execute()
- Save the changes and exit the script.
Note: This script assumes that you have the necessary permissions to modify backend services in your GCP project.