Profile Applicability:

Level 1

Description:

SSL policies control the Transport Layer Security (TLS) features allowed for clients connecting to load balancers. To enhance security, SSL policies should:

  1. Require at least TLS 1.2 with the Modern profile, or

  2. Use the Restricted profile, which enforces TLS 1.2 by default, or

  3. Use a Custom profile that excludes the following weak cipher suites:

    • TLS_RSA_WITH_AES_128_GCM_SHA256

    • TLS_RSA_WITH_AES_256_GCM_SHA384

    • TLS_RSA_WITH_AES_128_CBC_SHA

    • TLS_RSA_WITH_AES_256_CBC_SHA

    • TLS_RSA_WITH_3DES_EDE_CBC_SHA

Rationale:

Load balancers ensure efficient traffic distribution across servers. If configured insecurely, they may permit outdated protocols or weak cipher suites, exposing applications to risks such as:

  • Man-in-the-middle attacks

  • Data interception

  • Traffic hijacking

Ensuring strong SSL policies mitigates these risks and strengthens the security posture of the application.

Impact:

Secure SSL policies may prevent connections from clients using outdated or insecure TLS versions and cipher suites.

Default Value:

By default, GCP load balancers use the least secure SSL policy with:

Audit Steps:

From Google Cloud Console:

  1. Visit the Load Balancers page.

             

  1. For each SSL Proxy or HTTPS load balancer:                                                                                                                                                                                                                              

    • Click its name to open the Load Balancer Details page.

                                               

  • Verify that each Target Proxy in the Frontend table has an SSL policy configure.

                       

  1. For each SSL policy:

    • Ensure the policy has one of the following configurations:

      • Profile: Modern, and Min TLS Version: TLS 1.2.

      • Profile: Restricted.

      • Profile: Custom, without the following cipher suites:

        • TLS_RSA_WITH_AES_128_GCM_SHA256

        • TLS_RSA_WITH_AES_256_GCM_SHA384

        • TLS_RSA_WITH_AES_128_CBC_SHA

        • TLS_RSA_WITH_AES_256_CBC_SHA

        • TLS_RSA_WITH_3DES_EDE_CBC_SHA

From Google Cloud CLI:

List all target HTTPS and SSL proxies:

gcloud compute target-https-proxies list
gcloud compute target-ssl-proxies list

For each target proxy, describe its configuration:

gcloud compute target-https-proxies describe TARGET_HTTPS_PROXY_NAME
gcloud compute target-ssl-proxies describe TARGET_SSL_PROXY_NAME
  1. Verify that the sslPolicy field is configured:

    • If absent, the GCP default (insecure) SSL policy is being used.

Describe the SSL policy:

gcloud compute ssl-policies describe SSL_POLICY_NAME

  1. Ensure the policy meets one of these conditions:

    • Profile: Modern, and Min TLS Version: TLS 1.2.

    • Profile: Restricted.

    • Profile: Custom, excluding the weak cipher suites listed above.

Remediation Steps:

From Google Cloud Console:

  1. Navigate to the SSL Policies page.

                 

  1. For each insecure policy:

    • Click its name to view details.

                       

  • Click Edit.

                       

  • Set the following:

    • Minimum TLS Version: TLS 1.2.

    • Profile: Modern or Restricted.

    • If using Custom, ensure the weak cipher suites are disabled.

  1. Save the changes.

           

From Google Cloud CLI:

Update an insecure SSL policy:

gcloud compute ssl-policies update NAME \
  --profile=[COMPATIBLE|MODERN|RESTRICTED|CUSTOM] \
  --min-tls-version=TLS_1_2 \
  --custom-features=FEATURES

Attach the updated SSL policy to the target proxy:

gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME
gcloud compute target-https-proxies update TARGET_HTTPS_PROXY_NAME --ssl-policy SSL_POLICY_NAME

  • Min TLS Version: TLS 1.0

  • Profile: Compatible

References:

  1. Using SSL Policies

  2. NIST SP 800-52r2 Guidelines

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

3.10 Encrypt Sensitive Data in Transit

Encrypt sensitive data during transit using secure protocols like TLS.


14.4 Encrypt All Sensitive Information

Ensure all sensitive data is encrypted in transit.