Configure Cloud CDN origin authentication

Risk Level: Medium (should be achieved)

Ensure that Cloud CDN origins are configured to authenticate access to the content available at backend (backend buckets or backend services) using signed cookies and signed URLs. Signed cookies and URLs are designed to prevent unauthorized users from bypassing the authentication process and accessing sensitive information.

Security

Utilizing signed cookies and signed URLs for authentication with Google Cloud CDN provides a robust and reliable method to verify the identity of users and safeguard your website's resources against unauthorized access. These authentication methods allow you to restrict access to authorized viewers by providing them with a time-limited URL or cookie that grants access for its duration. Viewers who otherwise try to access the content receive an HTTP 403 (unauthorized) error.

Audit

To determine if your Cloud CDN origins are authenticating access to the cached content, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to the Cloud CDN console available at https://console.cloud.google.com/net-services/cdn.

04 Click on the name (link) of the Cloud CDN origin that you want to examine.

05 Select the DETAILS tab and check the Restricted content attribute value listed under Cache performance. If Restricted content is set to Public access to the content cached by Cloud CDN allowed, the selected Cloud CDN origin is not configured to restrict public access to the cached content.

06 Repeat steps no. 4 and 5 for each Cloud CDN origin available within your GCP project.

07 Repeat steps no. 2 – 6 for each project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each GCP project available within your Google Cloud account:

gcloud projects list 
  --format="table(projectId)"

02 The command output should return the requested GCP project identifier(s):

PROJECT_ID
  cc-web-app-project-112233
  cc-bigdata-project-123123

03 Run compute backend-services list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom filters to list the name of each Cloud CDN backend service origin available for the selected project:

gcloud compute backend-services list
  --global
  --project cc-web-app-project-112233
  --format="table(name,enableCDN)"

04 The command output should return the requested backend service identifier(s). When ENABLE_CDN is set to True, Cloud CDN is enabled for the listed backend service:

NAME:                            ENABLE_CDN:
cc-web-backend-service-origin    True
cc-net-backend-service-origin    True

05 Run compute backend-services describe command (Windows/macOS/Linux) to describe the signed request key(s) created for the selected backend service, used for authentication by the Cloud CDN signed URLs and signed cookies:

gcloud compute backend-services describe cc-web-backend-service-origin
  --global
  --format="json(cdnPolicy.signedUrlKeyNames)"

06 The command output should return the requested signed request key name(s):

null

If the compute backend-services describe command output returns null, there are no signed request keys necessary for implementing signed URLs and signed cookies, therefore the selected Cloud CDN origin is not configured to authenticate access to the cached content.

07 Run compute backend-buckets list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom filters to list the name of each Cloud CDN backend bucket origin created for the selected project:

gcloud compute backend-buckets list
  --project cc-web-app-project-112233
  --format="table(name,enableCDN)"

08 The command output should return the requested backend bucket identifier(s). When ENABLE_CDN is set to True, Cloud CDN is enabled for the listed backend bucket:

NAME:                           ENABLE_CDN:
cc-net-backend-bucket-origin    True
cc-web-backend-bucket-origin    True

09 Run compute backend-buckets describe command (Windows/macOS/Linux) to describe the signed request key(s) created for the selected backend bucket, used for authentication by the Cloud CDN signed URLs and signed cookies:

gcloud compute backend-buckets describe cc-net-backend-bucket-origin
  --format="json(cdnPolicy.signedUrlKeyNames)"

10 The command output should return the requested signed request key name(s):

null

If the compute backend-buckets describe command output returns null, there are no signed request keys necessary for implementing signed URLs and signed cookies, therefore the selected Cloud CDN origin is not configured to authenticate access to the cached content.

11 Repeat steps no. 3 – 10 for each Cloud CDN origin provisioned in your GCP project.

12 Repeat steps no. 3 – 11 for each project created within your Google Cloud Platform (GCP) account.

Remediation / Resolution

To ensure that your Cloud CDN origins are authenticating access to your cached content, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to the Cloud CDN console available at https://console.cloud.google.com/net-services/cdn.

04 Click on the name (link) of the Cloud CDN origin that you want to configure (backend service or backend bucket), and choose EDIT.

05 For Origin basics and Host and path rules, choose NEXT.

06 For Cache performance, select Restrict access using signed URLs and signed cookies under Restricted content, choose ADD SIGNING KEY, and perform the following actions:

Provide a unique name for your new signing key.
For Key creation method, choose Automatically generate. Alternatively, choose Let me enter, and specify a value for the signing key. Save and store your signing key in a safe location.
Choose DONE to save the changes.
Provide an appropriate value for the Cache entry maximum age, and select a unit of time from the Unit dropdown list.

07 Choose DONE to apply the configuration changes. You can now programmatically create signed URLs and signed cookies.

08 Repeat steps no. 4 – 7 for each Cloud CDN origin that you want to configure, available within your GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 First, generate a strongly random key and store the key in a file named cc-random-key.txt:

head -c 16 /dev/urandom | base64 | tr +/ -_ > cc-random-key.txt

02 Run compute backend-services add-signed-url-key command (Windows/macOS/Linux) to add the signed key to your Cloud CDN backend service origin:

gcloud compute backend-services add-signed-url-key cc-web-backend-service-origin
  --key-name cc-service-signed-key
  --key-file cc-random-key.txt

03 The command output should return the operation progress and status:

Adding Cloud CDN Signed URL key to [cc-web-backend-service-origin]...done.

04 Run compute backend-services update command (Windows/macOS/Linux) to set the maximum cache time for your Cloud CDN backend service (the command does not produce an output):

gcloud compute backend-services update cc-web-backend-service-origin

05 Run compute backend-buckets add-signed-url-key command (Windows/macOS/Linux) to add the signed key to your Cloud CDN backend bucket origin:

gcloud compute backend-buckets add-signed-url-key cc-net-backend-bucket-origin
  --key-name cc-service-signed-key
  --key-file cc-random-key.txt

06 The command output should return the operation progress and status:

Adding Cloud CDN Signed URL key to [cc-net-backend-bucket-origin]...done.

07 Run gsutil iam ch command (Windows/macOS/Linux) to grant Cloud CDN the ability to read objects from the private bucket associated with the backend bucket. Replace [project-number] and [bucket-name] with your own details:

gsutil iam ch serviceAccount:service-[project-number]@cloud-cdn-fill.iam.gserviceaccount.com:objectViewer gs://[bucket-name]

08 Run compute backend-buckets update command (Windows/macOS/Linux) to set the maximum cache time for your Cloud CDN backend service (the command does not produce an output):

gcloud compute backend-buckets update cc-net-backend-bucket-origin
  --signed-url-cache-max-age 86400

09 Repeat steps no. 1 – 8 for each Cloud CDN origin that you want to configure, provisioned in your GCP project.

10 Repeat steps no. 1 – 9 for each GCP project created within your Google Cloud Platform (GCP) account.

References

Google Cloud Platform (GCP) Documentation
Authenticate content
Use signed URLs
Use signed cookies

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud compute backend-services list
gcloud compute backend-services describe
gcloud compute backend-buckets list
gcloud compute backend-buckets describe
gcloud compute backend-services add-signed-url-key
gcloud compute backend-services update
gcloud compute backend-buckets add-signed-url-key
gcloud compute backend-buckets update

Publication date May 24, 2023

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related CloudCDN rules