Configure SSL/TLS certificates for Cloud CDN backend bucket origins

Risk Level: Medium (should be achieved)

Ensure that Google Cloud CDN backend bucket origins enforce HTTPS using SSL/TLS certificates in order to handle encrypted traffic. This helps you to protects the integrity and confidentiality of the transmitted information.

Security

Without HTTPS, any data transmitted over a network is vulnerable to eavesdropping and Man-In-The-Middle (MITM) attacks. The risk becomes even higher when the cloud application is working with sensitive data such as health and personal records, credentials and credit card numbers. With HTTPS, the traffic is encrypted over SSL/TLS, and the application and user data is secured in transit. Using an SSL/TLS certificate for your Cloud CDN backend bucket origin enhances security, adds trust, boosts SEO, facilitates compliance, and enhances reputation. With an SSL/TLS certificate, your application is fortified with robust security measures, inspires confidence among users, and aligns with industry regulations.

Audit

To determine if your Cloud CDN backend bucket origins are using SSL/TLS certificates, perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to the Cloud CDN console available at https://console.cloud.google.com/net-services/cdn.

04 Click on the name (link) of the Cloud CDN origin that you want to examine.

05 Select the DETAILS tab and check the Origin type attribute value listed under Origin configuration. If the Origin type is set to Backend bucket origin, the origin is a backend bucket resource and the Audit process continues with the next step. Otherwise, the Audit process stops here.

06 Note the name of the associated load balancer, listed under Host and path rules.

07 Navigate to Cloud Load Balancing console available at https://console.cloud.google.com/net-services/loadbalancing.

08 Choose the load balancer associated with your backend bucket resource and check the name of the protocol(s) listed in the Protocols column. If the HTTPS protocol is not listed in the Protocols column, the associated Cloud CDN backend bucket origin does not enforce HTTPS using SSL/TLS certificates.

09 Repeat steps no. 4 – 8 for each project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each GCP project available within your Google Cloud account:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

gcloud projects list 
  --format="table(projectId)"

02 The command output should return the requested GCP project identifier(s):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

PROJECT_ID
  cc-web-app-project-112233
  cc-bigdata-project-123123

03 Run compute url-maps list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom filtering to list the name of each load balancer (and the associated CDN origin) provisioned for the selected project:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

gcloud compute url-maps list
  --project cc-web-app-project-112233
  --format="table(name,defaultService)"

04 The command output should return the requested information. If DEFAULT_SERVICE is set to backendBuckets/[resource-name], the load balancer listed by the compute url-maps list command output is associated with a backend bucket resource and the Audit process continues with the next step. Otherwise, the Audit process stops here:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

NAME: cc-external-load-balancer
DEFAULT_SERVICE: backendBuckets/cc-cdn-bucket-origin

05 Run compute forwarding-rules list command (Windows/macOS/Linux) to list all the Google Compute Engine forwarding rules within the selected GCP project in order to identify the forwarding rules used by your load balancer (i.e. target resource):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

gcloud compute forwarding-rules list 
  --project cc-web-app-project-112233

06 The command output should return the requested configuration information:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

NAME: cc-external-load-balancer-forwarding-rule
REGION: 
IP_ADDRESS: 10.0.15.20
IP_PROTOCOL: TCP
TARGET: cc-external-load-balancer-target-proxy

07 Run compute forwarding-rules describe command (Windows/macOS/Linux) to describe the port range configured for the forwarding rule used by your load balancer in order to determine if the resource allows traffic via port 443 (HTTPS):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

gcloud compute forwarding-rules describe cc-external-load-balancer-forwarding-rule
  --global
  --format="value(portRange)"

08 The command output should return the requested configuration information:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

80-80

If the compute forwarding-rules describe command output returns 80-80, as shown in the output example above, the resource allows traffic via port 80 (HTTP), therefore the associated Cloud CDN backend bucket origin does not enforce HTTPS using SSL/TLS certificates.

09 Repeat steps no. 3 – 8 for each project created within your Google Cloud Platform (GCP) account.

Remediation / Resolution

To ensure that your Cloud CDN backend service origins enforce HTTPS using SSL/TLS certificates, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Load Balancing console available at https://console.cloud.google.com/net-services/loadbalancing.

04 Click on the name (link) of the load balancer associated with your backend bucket resource and choose EDIT.

05 Choose Frontend configuration, choose ADD FRONTEND IP AND PORT, and perform the following operations:

For Name, provide a name for your new frontend configuration.
For Protocol, select HTTPS (including HTTP/2).
Click inside the Certificate box and choose CREATE NEW CERTIFICATE. Enter the certificate name and choose whether to upload your own certificate information (i.e. public key certificate and private key) or provision a new, Google-managed certificate with the Certificate Manager service. If you choose to request a Google-managed certificate, provide the domain for the new certificate. Choose CREATE to provision your new SSL/TLS certificate.
Select the newly create certificate and choose OK.
Choose DONE to save the changes.

06 Remove any HTTP configurations listed in the Frontend configuration section, and choose UPDATE to apply the configuration changes.

07 Repeat steps no. 2 – 6 for each GCP project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 To create a global SSL/TLS certificate resource for the load balancer associated with your Cloud CDN backend bucket origin, run compute ssl-certificates create command (Windows/macOS/Linux) with the --global parameter. Replace [certificate-file] and [private-key-file] with your own self-managed certificate files:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

gcloud compute ssl-certificates create cc-bucket-origin-certificate
  --global
  --certificate=[certificate-file]
  --private-key=[private-key-file]

02 The command output should return the URL of the new certificate resource:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

Created [https://www.googleapis.com/compute/v1/projects/cc-web-app-project-112233/global/sslCertificates/cc-bucket-origin-certificate].

03 Run compute target-https-proxies create command (Windows/macOS/Linux) using the name of the load balancer that you want to reconfigure as the identifier parameter and the name of the newly created SSL/TLS certificate resource as command parameter, to create a target HTTPS proxy that routes requests to the selected load balancer (identified by the URL map). The HTTPS proxy is the component of the load balancer that holds your certificate for secure load balancing:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

gcloud compute target-https-proxies create cc-external-load-balancer-target-proxy
  --url-map cc-external-load-balancer
  --ssl-certificates cc-bucket-origin-certificate

04 The command output should return the URL of the newly created HTTPS proxy:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

Created [https://www.googleapis.com/compute/v1/projects/cc-web-app-project-112233/global/targetHttpsProxies/cc-external-load-balancer-target-proxy].

05 Run compute forwarding-rules create command (Windows/macOS/Linux) to create a global forwarding rule that routes incoming requests to the target HTTPS proxy created at the previous steps in order to enable HTTPS for the associated load balancer. Replace [ipv4-address] with the static IPv4 address configured for the selected load balancer:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

gcloud compute forwarding-rules create cc-lb-https-frontend-config
  --global
  --address=[ipv4-address]
  --target-https-proxy=cc-external-load-balancer-target-proxy
  --ports=443

06 The command output should return the URL of the new load balancer forwarding rule:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

Created [https://www.googleapis.com/compute/v1/projects/cc-web-app-project-112233/global/forwardingRules/cc-lb-https-frontend-config].

07 Repeat steps no. 1 – 6 for each GCP project created within your Google Cloud Platform (GCP) account.

References

Google Cloud Platform (GCP) Documentation
SSL certificates overview
Set up a backend bucket
External HTTP(S) load balancer overview
Request routing to a multi-region global external HTTP(S) load balancer (classic)
Set up a global external HTTP(S) load balancer (classic) with a managed instance group backend

GCP Command Line Interface (CLI) Documentation
gcloud compute url-maps list
gcloud compute forwarding-rules list
gcloud compute forwarding-rules describe
gcloud compute ssl-certificates create
gcloud compute target-https-proxies create
gcloud compute forwarding-rules create

Publication date May 24, 2023

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related CloudCDN rules