Load Balancer SSL Should Use Restricted Profile

​

More Info:

Your Load Balancer SSL policy should use Rstricted profile for their SSL negotiation configuration

​

Risk Level

Medium

​

Address

Security

​

Compliance Standards

CBP

​

Remediation

​

Using Console

To remediate the “Load Balancer SSL Should Use Restricted Profile” misconfiguration in GCP using the GCP console, please follow the steps below:

1. Open the GCP console and navigate to the Load Balancing page.
2. Select the Load Balancer that you want to remediate.
3. Click on the “Edit” button to edit the Load Balancer configuration.
4. Under the “Frontend configuration” section, locate the SSL certificate that you want to remediate.
5. Click on the “Edit” button next to the SSL certificate.
6. In the “Certificate details” section, scroll down to the “Certificate profile” option.
7. Select the “Restricted” profile from the dropdown menu.
8. Click on the “Save” button to save the changes.
9. Repeat steps 4-8 for all SSL certificates associated with the Load Balancer.

By following these steps, you will remediate the “Load Balancer SSL Should Use Restricted Profile” misconfiguration in GCP using the GCP console.

​

Using CLI

To remediate the “Load Balancer SSL Should Use Restricted Profile” misconfiguration in GCP using GCP CLI, follow these steps:

1. Open the Cloud Shell by clicking on the icon on the top right corner of the GCP Console.

2. Run the following command to list all the HTTPS load balancers in your project:

   gcloud compute target-https-proxies list
   

3. Identify the HTTPS load balancer that needs to be remediated and note down its name.

4. Run the following command to update the SSL policy of the HTTPS load balancer:

   gcloud compute target-https-proxies update [TARGET_HTTPS_PROXY_NAME] --ssl-policy=RESTRICTED
   

   Replace [TARGET_HTTPS_PROXY_NAME] with the name of the HTTPS load balancer that needs to be remediated.

5. Verify that the SSL policy has been updated by running the following command:

   gcloud compute target-https-proxies describe [TARGET_HTTPS_PROXY_NAME] | grep sslPolicy
   

   The output should show sslPolicy: RESTRICTED.

6. Repeat steps 4-5 for all the HTTPS load balancers in your project that need to be remediated.

By following these steps, you have successfully remediated the “Load Balancer SSL Should Use Restricted Profile” misconfiguration for GCP using GCP CLI.

​

Using Python

To remediate the “Load Balancer SSL Should Use Restricted Profile” misconfiguration for GCP using Python, follow these steps:

1. Install the google-cloud-load-balancer library using the following command:

   pip install google-cloud-load-balancer
   

2. Authenticate with GCP by setting up the environment variable GOOGLE_APPLICATION_CREDENTIALS with the path to your service account key file.

3. Use the google.cloud.load_balancer_v1beta1 module to retrieve the SSL policy that is attached to your load balancer. You can use the following code snippet to achieve this:

   from google.cloud import load_balancer_v1beta1
   
   client = load_balancer_v1beta1.LoadBalancerClient()
   
   # Replace <load_balancer_name> with the name of your load balancer.
   load_balancer_path = client.load_balancer_path('<project_id>', '<location>', '<load_balancer_name>')
   
   # Retrieve the SSL policy attached to the load balancer.
   load_balancer = client.get_load_balancer(load_balancer_path)
   ssl_policy = load_balancer.ssl_policy
   

4. Check if the SSL policy is set to RESTRICTED by checking the value of the profile field. If the profile is not set to RESTRICTED, you need to update the SSL policy. You can use the following code snippet to achieve this:

   from google.cloud import load_balancer_v1beta1
   
   client = load_balancer_v1beta1.LoadBalancerClient()
   
   # Replace <load_balancer_name> with the name of your load balancer.
   load_balancer_path = client.load_balancer_path('<project_id>', '<location>', '<load_balancer_name>')
   
   # Retrieve the SSL policy attached to the load balancer.
   load_balancer = client.get_load_balancer(load_balancer_path)
   ssl_policy = load_balancer.ssl_policy
   
   # Check if the SSL policy is set to RESTRICTED.
   if ssl_policy.profile != 'RESTRICTED':
       # Update the SSL policy to use the RESTRICTED profile.
       ssl_policy.profile = 'RESTRICTED'
   
       # Update the load balancer with the new SSL policy.
       update_mask = {'paths': ['ssl_policy']}
       update_mask = load_balancer_v1beta1.types.FieldMask(paths=update_mask['paths'])
       update_mask = update_mask.to_dict()
       client.update_load_balancer(load_balancer, update_mask)
   

5. Verify that the SSL policy has been updated by checking the value of the profile field again.

By following these steps, you can remediate the “Load Balancer SSL Should Use Restricted Profile” misconfiguration for GCP using Python.

​

Additional Reading:

• https://cloud.google.com/load-balancing/docs/ssl-policies-concepts