Skip to main content

More Info:

Load Balancers global instance groups should use only the secure listeners. A listener is a process that checks for connection requests, using the protocol and port that you configure.

Risk Level

High

Address

Security

Compliance Standards

SOC2

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Load Balancers Global Instance Groups Should Use Secure Listeners” for GCP using GCP console, follow the below steps:
  1. Open the GCP console and navigate to the Load Balancing page.
  2. Select the Load Balancer that you want to remediate.
  3. In the Load Balancer details page, click on the Edit button.
  4. In the Edit Load Balancer page, click on the Frontend Configuration tab.
  5. In the Frontend Configuration tab, for each protocol (HTTP and HTTPS), select the HTTPS protocol and click on the Create button.
  6. In the Create Frontend IP and Port page, enter the required details such as Name, IP address, and Port number.
  7. In the Protocol section, select HTTPS and click on the Done button.
  8. Repeat steps 5 to 7 for all the protocols that are being used by the Load Balancer.
  9. Once all the protocols have been configured with HTTPS, click on the Update button to save the changes.
  10. Verify that the Load Balancer is now using secure listeners by accessing the Load Balancer URL using HTTPS protocol.
By following the above steps, you can remediate the misconfiguration “Load Balancers Global Instance Groups Should Use Secure Listeners” for GCP using GCP console.

To remediate the misconfiguration “Load Balancers Global Instance Groups Should Use Secure Listeners” for GCP using GCP CLI, follow the steps below:
  1. Open the Cloud Shell in your GCP console.
  2. Use the following command to list all the global forwarding rules in your project: 
    gcloud compute forwarding-rules list
  3. Identify the global forwarding rule that is associated with the load balancer for which you want to enable secure listeners.
  4. Use the following command to update the global forwarding rule to use HTTPS as the protocol: 
    gcloud compute forwarding-rules update [FORWARDING_RULE_NAME] --global --protocol HTTPS
    Replace [FORWARDING_RULE_NAME] with the name of the global forwarding rule that you identified in step 3.
  5. Use the following command to update the global forwarding rule to use a valid SSL certificate: 
    gcloud compute ssl-certificates create [CERTIFICATE_NAME] --certificate [CERTIFICATE_FILE_PATH] --private-key [PRIVATE_KEY_FILE_PATH]
    Replace [CERTIFICATE_NAME] with a name for your SSL certificate, [CERTIFICATE_FILE_PATH] with the path to your SSL certificate file, and [PRIVATE_KEY_FILE_PATH] with the path to your SSL private key file.
  6. Use the following command to update the global forwarding rule to use the SSL certificate: 
    gcloud compute target-https-proxies update [TARGET_PROXY_NAME] --ssl-certificates [CERTIFICATE_NAME]
    Replace [TARGET_PROXY_NAME] with the name of the target HTTPS proxy associated with the global forwarding rule.
  7. Verify that the global forwarding rule is now using HTTPS as the protocol and a valid SSL certificate. 
    gcloud compute forwarding-rules describe [FORWARDING_RULE_NAME] --global
    Replace [FORWARDING_RULE_NAME] with the name of the global forwarding rule that you updated in step 4.
By following these steps, you have successfully remediated the misconfiguration “Load Balancers Global Instance Groups Should Use Secure Listeners” for GCP using GCP CLI.
To remediate the misconfiguration “Load Balancers Global Instance Groups Should Use Secure Listeners” in GCP using Python, you can follow the below steps:
  1. Import the necessary libraries:
from googleapiclient.discovery import build
from oauth2client.client import GoogleCredentials
  1. Authenticate with GCP using the below code:
credentials = GoogleCredentials.get_application_default()
service = build('compute', 'v1', credentials=credentials)
  1. Get a list of all the global forwarding rules:
project = 'PROJECT_NAME'
global_forwarding_rules = service.globalForwardingRules().list(project=project).execute()
  1. Loop through the list of global forwarding rules and check if they are using HTTPS as the protocol:
for forwarding_rule in global_forwarding_rules['items']:
    if forwarding_rule['IPProtocol'] == 'TCP' and forwarding_rule['portRange'] == '443':
        # HTTPS is being used as the protocol, so no action is needed
        continue
    else:
        # HTTPS is not being used as the protocol, so update the forwarding rule to use HTTPS
        forwarding_rule_url = forwarding_rule['selfLink']
        forwarding_rule_name = forwarding_rule_url.split('/')[-1]
        forwarding_rule_body = {
            'IPProtocol': 'TCP',
            'portRange': '443'
        }
        service.globalForwardingRules().patch(project=project, forwardingRule=forwarding_rule_name, body=forwarding_rule_body).execute()
  1. This code will update the global forwarding rules to use HTTPS as the protocol. You can run this code periodically to ensure that any new global forwarding rules are also updated to use HTTPS.
Note: Make sure to replace the PROJECT_NAME with your actual project name.

Additional Reading: