Load Balancers Should Use Latest TLS version 1.3
More Info:
Ensure Load Balancers use latest TLS version 1.3
Risk Level
Medium
Address
Security
Compliance Standards
SOC2
Remediation
Using Console
Sure, here are the step-by-step instructions to remediate the misconfiguration of using the latest TLS version 1.3 for Load Balancers on GCP using the GCP console:
- Open the GCP Console and go to the Load Balancing page.
- Select the Load Balancer for which you want to enable TLS 1.3.
- Click on the Edit button to open the Edit load balancer page.
- In the Edit load balancer page, scroll down to the Frontend configuration section and click on the Edit button next to the HTTPS protocol.
- In the Edit frontend configuration page, scroll down to the Advanced configuration section.
- In the Advanced configuration section, click on the Add item button to add a new item to the list.
- In the new item, set the Name to “tls-version” and the Value to “TLS_1_3”.
- Click on the Save button to save the changes.
- Click on the Update button in the Edit load balancer page to apply the changes to the Load Balancer.
That’s it! The Load Balancer now uses the latest TLS version 1.3 for HTTPS protocol.
Using CLI
To remediate the misconfiguration of Load Balancers not using the latest TLS version 1.3 on GCP using GCP CLI, you can follow the below steps:
-
Open the Cloud Shell on GCP Console, which is a command-line interface that can be used to run GCP CLI commands.
-
Run the following command to create a new SSL policy with TLS version 1.3 enabled:
gcloud compute ssl-policies create <ssl-policy-name> --profile=MODERN --min-tls-version=1.3
Replace <ssl-policy-name> with a name for your SSL policy.
- Run the following command to update the SSL policy for your load balancer:
gcloud compute target-https-proxies update <target-https-proxy-name> --ssl-policy=<ssl-policy-name>
Replace <target-https-proxy-name> with the name of your target HTTPS proxy, and <ssl-policy-name> with the name of the SSL policy you created in step 2.
- Finally, run the following command to verify that TLS version 1.3 is enabled for your load balancer:
gcloud compute ssl-policies describe <ssl-policy-name> --format="get(minTlsVersion)"
Replace <ssl-policy-name> with the name of the SSL policy you created in step 2. The output should show “TLS_1_3” as the minimum TLS version.
With these steps, you have successfully remediated the misconfiguration of Load Balancers not using the latest TLS version 1.3 on GCP using GCP CLI.
Using Python
To remediate the misconfiguration of load balancers not using the latest TLS version 1.3 in GCP using Python, follow the below steps:
- Install the latest version of the Google Cloud SDK by running the following command in the terminal:
curl https://sdk.cloud.google.com | bash
- Initialize the Google Cloud SDK by running the following command:
gcloud init
- Create a new Python file and import the necessary libraries:
from google.cloud import compute_v1
- Set up the Google Cloud client:
compute_client = compute_v1.ComputeClient()
- Get the list of all load balancers in the project:
project_id = 'your-project-id'
load_balancers = compute_client.forwarding_rules().list(project=project_id).execute()
- Loop through the list of load balancers and update their SSL policy to use TLS version 1.3:
for load_balancer in load_balancers['items']:
forwarding_rule_name = load_balancer['name']
forwarding_rule_region = load_balancer['region']
ssl_policy_name = 'global/ssl-policies/TLS_1_3'
# Get the current SSL policy of the load balancer
forwarding_rule = compute_client.forwarding_rules().get(project=project_id, region=forwarding_rule_region, forwardingRule=forwarding_rule_name).execute()
current_ssl_policy = forwarding_rule.get('sslPolicy')
# Update the SSL policy to use TLS version 1.3
if current_ssl_policy != ssl_policy_name:
request_body = {
'sslPolicy': ssl_policy_name
}
compute_client.forwarding_rules().setSslPolicy(project=project_id, region=forwarding_rule_region, forwardingRule=forwarding_rule_name, sslPolicyReference=request_body).execute()
- Save the Python file and run it in the terminal:
python filename.py
This will update the SSL policy of all load balancers in the GCP project to use the latest TLS version 1.3.