🛡️ Google GCE External Forwarding Rule is configured to use a Target HTTP Proxy🟢

Contextual name: 🛡️ External Forwarding Rule is configured to use a Target HTTP Proxy🟢
ID: /ce/ca/google/load-balancing/external-forwarding-rule-http-proxy
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 Google GCE Forwarding Rule
- 🔌 Google GCE Forwarding Rule - object.extracts.yaml
- 🧪 test-data.json

Description

Description

This policy identifies Google GCE External Forwarding Rules that are configured to use a Target HTTP Proxy instead of a Target HTTPS Proxy.

Rationale

Using a Target HTTP Proxy transmits data in cleartext, which exposes sensitive information to potential eavesdropping or man-in-the-middle attacks. Enforcing the use of a Target HTTPS Proxy ensures that all traffic to the load balancer is encrypted via HTTPS, thereby maintaining data confidentiality and integrity.

Audit

This policy flags an external Google GCE Forwarding Rule as INCOMPLIANT if the Target HTTP Proxy Unique ID field is not empty.

A Forwarding Rule is marked as INAPPLICABLE if its Load Balancing Scheme is not EXTERNAL or EXTERNAL_MANAGED.

Remediation

Open File

Remediation

Replace the Target HTTP Proxy with a Target HTTPS Proxy

This process involves creating an SSL certificate, configuring a new HTTPS proxy, and updating the forwarding rule to use the secure proxy.

From gcloud CLI
Create an SSL Certificate (if one does not already exist)
gcloud compute ssl-certificates create {{certificate-name}} \
    --private-key {{path-to-private-key}} \
    --certificate {{path-to-certificate}} \
Create a new Target HTTPS Proxy
gcloud compute target-https-proxies create {{new-https-proxies-name}} \
    --ssl-certificates {{ssl-certificate}} \
    --url-map {{url-map-name}} \
Update the Forwarding Rule to use the new Target HTTPS Proxy
gcloud compute forwarding-rules set-target {{rule-name}} \
    --target-https-proxy {{new-https-proxy-name}}
Delete the old Target HTTP Proxy
gcloud compute target-http-proxies delete {{old-http-proxy-name}}

policy.yaml

Open File

Linked Framework Sections

Section	Internal Rules	Policies	Compliance
💼 Cloudaware Framework → 💼 Data Encryption		44	no data
💼 PCI DSS v3.2.1 → 💼 2.3 Encrypt all non-console administrative access using strong cryptography.	3	9	no data
💼 PCI DSS v4.0.1 → 💼 2.2.7 All non-console administrative access is encrypted using strong cryptography.		9	no data
💼 PCI DSS v4.0 → 💼 2.2.7 All non-console administrative access is encrypted using strong cryptography.	4	9	no data

Logic​

Description​

Description​

Rationale​

Audit​

Remediation​

Remediation​

Replace the Target HTTP Proxy with a Target HTTPS Proxy​

From gcloud CLI​

policy.yaml​

Linked Framework Sections​

Logic

Description

Description

Rationale

Audit

Remediation

Remediation

Replace the Target HTTP Proxy with a Target HTTPS Proxy

From gcloud CLI

policy.yaml

Linked Framework Sections