Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Data Encryption for API Gateway Backend Integrations

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the communication between your Google Cloud API Gateway and associated backend services is encrypted to protect sensitive data from interception or tampering, such as Man-In-The-Middle (MITM) attacks.

Security

Enforcing encrypted communication between Google Cloud API Gateway and backend services ensures data security, protects sensitive information from interception, and prevents unauthorized access during transmission, complying with best practices and regulatory requirements.

Audit

To determine if the communication between your API Gateway and the associated backend services is encrypted, perform the following operations:

Checking for API Gateway backend integration settings using Google Cloud Management Console is not currently supported.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each GCP project available in your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDS: 

PROJECT_ID
cc-web-project-123123
cc-dev-project-112233

03 Run api-gateway gateways list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the ID of each API Gateway created for the selected project: 

gcloud api-gateway gateways list
	--location=us-central1
	--project cc-web-project-123123
	--format="table(NAME)"

04 The command output should return the fully qualified identifier for each API Gateway: 

NAME: projects/cc-web-project-123123/locations/us-central1/gateways/tm-project5-api-gateway
NAME: projects/cc-web-project-123123/locations/us-central1/gateways/aqi-monitor-api-gateway

05 Run compute network-endpoint-groups list command (Windows/macOS/Linux) with the ID of the API Gateway that you want to examine as the identifier parameter and custom output filters to describe the URI of the serverless Network Endpoint Group (NEG) configured as the backend for the specified API Gateway. The serverless NEG is the key element linking the backend service to the API Gateway: 

gcloud beta compute network-endpoint-groups list
	--regions=us-central1
	--filter="serverlessDeployment:("resource": "tm-project5-api-gateway")"
	--format="value(selfLink)"

06 The command output should return the URI of the serverless NEG associated with the selected API Gateway. If the compute network-endpoint-groups list command output does not return an URI, the selected API Gateway is not associated with a serverless NEG and the Audit process ends here: 

https://www.googleapis.com/compute/beta/projects/cc-web-project-123123/regions/us-central1/networkEndpointGroups/tm-project5-neg

07 Run compute backend-services list command (Windows/macOS/Linux) with custom output filters to describe the name of each backend service deployed for the selected GCP project, along with the URI of the Network Endpoint Group (NEG) configured as backend for the backend service: 

gcloud compute backend-services list
	--project cc-web-project-123123
	--format="table(name,backends[group])"

08 The command output should return the requested identifiers: 

NAME: tm-project5-backend-service
GROUP: ['https://www.googleapis.com/compute/v1/projects/cc-web-project-123123/regions/us-central1/networkEndpointGroups/tm-project5-neg']

NAME: tm-aqi-app-backend-service
GROUP: ['https://www.googleapis.com/compute/v1/projects/cc-web-project-123123/regions/us-central1/networkEndpointGroups/tm-aqi-app-neg']

Cross-reference the data returned in step no. 6 with that returned in step no. 8 to determine the name of the backend service associated with the selected API Gateway.

09 Run compute backend-services describe command (Windows/macOS/Linux) with the name of the backend service associated with your API Gateway as the identifier parameter, to determine if the backend service is configured to communicate with the API Gateway using HTTPS: 

gcloud compute backend-services describe tm-project5-backend-service
	--format="value(protocol)"

10 The command output should return the name of the protocol configured for the backend service endpoint: 

HTTP

If the compute backend-services describe command output returns HTTP, as shown in the example above, the communication between your Google Cloud API Gateway and the associated backend service is not encrypted.

11 Repeat steps no. 5 - 10 for each API Gateway that you want to examine, created for the selected GCP project.

12 Repeat steps no. 3 – 11 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that the communication between your API Gateway and its backend services is encrypted using HTTPS, perform the following operations:

The editing of backend service configuration settings using Google Cloud Management Console is not currently supported.

Using GCP CLI

01 Run compute backend-services update command (Windows/macOS/Linux) with the name of the backend service associated with your API Gateway as the identifier parameter, to change the backend service endpoint protocol to HTTPS: 

gcloud compute backend-services update tm-project5-backend-service
	--protocol HTTPS

02 The command output should return the URI of the updated resource: 

Updated [https://www.googleapis.com/compute/v1/projects/cc-web-project-123123/global/backendServices/tm-project5-backend-service].

03 Repeat steps no. 1 and 2 for each associated backend service that you want to configure, available within the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date Jan 16, 2025

Related APIGateway rules