Load Balancers Should Use Latest TLS version 1.3

More Info:

Ensure Load Balancers use latest TLS version 1.3

Risk Level

Medium

Address

Security

Compliance Standards

SOC2

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of Load Balancers not using the latest TLS version 1.3 on GCP using GCP CLI, you can follow the below steps:

Open the Cloud Shell on GCP Console, which is a command-line interface that can be used to run GCP CLI commands.
Run the following command to create a new SSL policy with TLS version 1.3 enabled:

gcloud compute ssl-policies create <ssl-policy-name> --profile=MODERN --min-tls-version=1.3

Replace <ssl-policy-name> with a name for your SSL policy.

Run the following command to update the SSL policy for your load balancer:

gcloud compute target-https-proxies update <target-https-proxy-name> --ssl-policy=<ssl-policy-name>

Replace <target-https-proxy-name> with the name of your target HTTPS proxy, and <ssl-policy-name> with the name of the SSL policy you created in step 2.

Finally, run the following command to verify that TLS version 1.3 is enabled for your load balancer:

gcloud compute ssl-policies describe <ssl-policy-name> --format="get(minTlsVersion)"

Replace <ssl-policy-name> with the name of the SSL policy you created in step 2. The output should show “TLS_1_3” as the minimum TLS version.With these steps, you have successfully remediated the misconfiguration of Load Balancers not using the latest TLS version 1.3 on GCP using GCP CLI.

Using Python

To remediate the misconfiguration of load balancers not using the latest TLS version 1.3 in GCP using Python, follow the below steps:

Install the latest version of the Google Cloud SDK by running the following command in the terminal:

curl https://sdk.cloud.google.com | bash

Initialize the Google Cloud SDK by running the following command:

gcloud init

Create a new Python file and import the necessary libraries:

from google.cloud import compute_v1

Set up the Google Cloud client:

compute_client = compute_v1.ComputeClient()

Get the list of all load balancers in the project:

project_id = 'your-project-id'
load_balancers = compute_client.forwarding_rules().list(project=project_id).execute()

Loop through the list of load balancers and update their SSL policy to use TLS version 1.3:

for load_balancer in load_balancers['items']:
    forwarding_rule_name = load_balancer['name']
    forwarding_rule_region = load_balancer['region']
    ssl_policy_name = 'global/ssl-policies/TLS_1_3'

    # Get the current SSL policy of the load balancer
    forwarding_rule = compute_client.forwarding_rules().get(project=project_id, region=forwarding_rule_region, forwardingRule=forwarding_rule_name).execute()
    current_ssl_policy = forwarding_rule.get('sslPolicy')

    # Update the SSL policy to use TLS version 1.3
    if current_ssl_policy != ssl_policy_name:
        request_body = {
            'sslPolicy': ssl_policy_name
        }
        compute_client.forwarding_rules().setSslPolicy(project=project_id, region=forwarding_rule_region, forwardingRule=forwarding_rule_name, sslPolicyReference=request_body).execute()

Save the Python file and run it in the terminal:

python filename.py

This will update the SSL policy of all load balancers in the GCP project to use the latest TLS version 1.3.

Additional Reading:

https://cloud.google.com/load-balancing/docs/ssl-policies-concepts

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Load Balancers Should Use Latest TLS version 1.3

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: