Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Detect GCP Load Balancer Configuration Changes

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable risk)
Rule ID: CloudLoadBalancing-003

Trend Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected configuration changes made at the Load Balancing service level, in your GCP account.
Google Cloud Load Balancing is a fully managed, high performance, scalable load balancing service provided by Google Cloud Platform (GCP). With Google Cloud Load Balancing you can easily create and configure your own load balancers in order to distribute user traffic across the multiple instances that are running your web applications.
As a security best practice, you need to be aware of all the configuration changes made at the Load Balancing service level, changes such as creating a forwarding rule or updating a specified backend service resource for a load balancer. A backend service defines how a load balancer distributes traffic while a forwarding rule (and its associated IP address) represents the frontend configuration of a load balancer. Because these configuration settings define how your load balancer behaves, it is imperative to monitor them in real time.
The activity detected by the Trend Cloud One™ – Conformity RTMA feature could be, for example, a user action initiated through the Google Cloud Console or an API request initiated programmatically using gcloud CLI, that triggers any of the following operational events:

  • "forwardingRules.insert" – Creates a forwarding rule in the specified GCP project and region using the data included in the request.
  • "forwardingRules.patch" – Updates the specified forwarding rule with the data included in the request. This method supports "PATCH" semantics and uses the JSON merge patch format and processing rules.
  • "backendServices.insert" – Creates a backend service resource in the specified GCP project using the data included in the request.
  • "backendServices.patch" – Patches the specified backend service with the data included in the request. This method supports "PATCH" semantics and uses the JSON merge patch format and processing rules.

If a backend service or a forwarding rule is created and/or modified by an inexperienced user, it can allow attackers to identify possible vulnerabilities and attempt to exploit them to their own advantage. To adhere to Google Cloud security best practices and implement the Principle of Least Privilege (i.e. the practice of providing every user/process/system the minimal amount of access required to successfully perform its tasks), Trend Cloud One™ – Conformity strongly recommends that you avoid as much as possible to provide your GCP users (except administrators or authorized personnel) the permission to change the load balancer configuration within your GCP account.
The communication channels for sending RTMA notifications can be quickly configured in your Conformity account. The list of supported communication channels that you can use to receive notification alerts for Load Balancing configuration changes are SMS, Email, Slack, PagerDuty, ServiceNow, and Zendesk.

This rule resolution is part of the Conformity solution.

Security

Monitoring configuration changes for your Google Cloud Load Balancing resources is crucial for keeping your load-balanced workloads secure. With Trend Cloud One™ – Conformity RTMA configuration monitoring, you can gain full visibility over the changes performed at the Load Balancing service level. This can help prevent any accidental or intentional modifications that may lead to unauthorized access or other related security breaches. Beyond prevention, you should be able to maintain your Load Balancing resources secure by taking actions upon detection of any unusual activity and send real-time notifications, extremely useful when, for example, an unauthorized user is modifying a forwarding rule to allow unrestricted inbound access to a web server behind the load balancer, which increases the opportunities for malicious activity such as hacking and injection attacks.


References

Publication date Dec 14, 2022