Skip to main content

More Info:

Ensure that GCP Cloud Monitoring uses HTTPS only for checking the health of backend resources.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Cloud Monitoring Should Use HTTPS For Backend Resource Health Check” for GCP using GCP console, please follow the below steps:
  1. Login to your GCP console.
  2. Go to the Cloud Monitoring page.
  3. In the left navigation menu, select “Uptime Checks”.
  4. Select the uptime check that needs to be remediated.
  5. Click on the “Edit” button.
  6. In the “Check Request” section, select “HTTPS” as the protocol.
  7. In the “Check Request” section, enter the URL of the backend resource.
  8. In the “Check Request” section, select the appropriate HTTP method.
  9. In the “Advanced Settings” section, select “Require valid SSL certificate” checkbox.
  10. Click on the “Save” button to save the changes.
After following the above steps, the misconfiguration “Cloud Monitoring Should Use HTTPS For Backend Resource Health Check” will be remediated for GCP using GCP console.

To remediate the misconfiguration “Cloud Monitoring Should Use HTTPS For Backend Resource Health Check” for GCP using GCP CLI, follow the below steps:
  1. Open the Cloud Shell in the GCP console.
  2. Run the following command to set the default project: 
gcloud config set project [PROJECT_ID]
  1. Run the following command to update the health check configuration:
gcloud compute health-checks update https [HEALTH_CHECK_NAME] --use-https
Replace [HEALTH_CHECK_NAME] with the name of the health check you want to update.
  1. Verify the updated configuration by running the following command:
gcloud compute health-checks describe [HEALTH_CHECK_NAME]
This will display the details of the health check, including the use of HTTPS.By following these steps, you can remediate the misconfiguration “Cloud Monitoring Should Use HTTPS For Backend Resource Health Check” for GCP using GCP CLI.
To remediate the misconfiguration “Cloud Monitoring Should Use HTTPS For Backend Resource Health Check” in GCP using Python, follow these steps:
  1. Import the required libraries for interacting with GCP using Python. For example, you can use the google-auth and google-api-python-client libraries.
from google.oauth2 import service_account
from googleapiclient.discovery import build
  1. Set up the authentication credentials using a service account key file. You can create a service account with the required permissions for the Cloud Monitoring API in the GCP console and download the key file.
credentials = service_account.Credentials.from_service_account_file(
    'path/to/service_account_key.json')
  1. Create a client object for the Cloud Monitoring API using the build function and the appropriate API version.
monitoring_client = build('monitoring', 'v3', credentials=credentials)
  1. Get the list of backend services in the project using the list method of the backendServices resource.
backend_services = monitoring_client.projects().backendServices().list(
    name='projects/<project_id>').execute()
  1. For each backend service, check if the health check protocol is set to HTTPS. If not, update the backend service using the update method of the backendServices resource.
for backend_service in backend_services.get('backendServices', []):
    if backend_service.get('healthChecks')[0].startswith('https://'):
        continue
    else:
        backend_service['healthChecks'][0] = 'https://' + backend_service['healthChecks'][0][7:]
        monitoring_client.projects().backendServices().update(
            name=backend_service['name'], body=backend_service).execute()
  1. Save the Python script and run it using a Python interpreter.
These steps will remediate the misconfiguration “Cloud Monitoring Should Use HTTPS For Backend Resource Health Check” in GCP using Python.

Additional Reading: