Profile Applicability:
Level 1
Description:
SSL policies control the Transport Layer Security (TLS) features allowed for clients connecting to load balancers. To enhance security, SSL policies should:
Require at least TLS 1.2 with the Modern profile, or
Use the Restricted profile, which enforces TLS 1.2 by default, or
Use a Custom profile that excludes the following weak cipher suites:
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Rationale:
Load balancers ensure efficient traffic distribution across servers. If configured insecurely, they may permit outdated protocols or weak cipher suites, exposing applications to risks such as:
Man-in-the-middle attacks
Data interception
Traffic hijacking
Ensuring strong SSL policies mitigates these risks and strengthens the security posture of the application.
Impact:
Secure SSL policies may prevent connections from clients using outdated or insecure TLS versions and cipher suites.
Default Value:
By default, GCP load balancers use the least secure SSL policy with:
Audit Steps:
From Google Cloud Console:
Visit the Load Balancers page.
For each SSL Proxy or HTTPS load balancer:
Click its name to open the Load Balancer Details page.
Verify that each Target Proxy in the Frontend table has an SSL policy configure.
For each SSL policy:
Ensure the policy has one of the following configurations:
Profile: Modern, and Min TLS Version: TLS 1.2.
Profile: Restricted.
Profile: Custom, without the following cipher suites:
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
From Google Cloud CLI:
List all target HTTPS and SSL proxies:
gcloud compute target-https-proxies list gcloud compute target-ssl-proxies list
For each target proxy, describe its configuration:
gcloud compute target-https-proxies describe TARGET_HTTPS_PROXY_NAME gcloud compute target-ssl-proxies describe TARGET_SSL_PROXY_NAME
Verify that the sslPolicy field is configured:
If absent, the GCP default (insecure) SSL policy is being used.
Describe the SSL policy:
gcloud compute ssl-policies describe SSL_POLICY_NAME
Ensure the policy meets one of these conditions:
Profile: Modern, and Min TLS Version: TLS 1.2.
Profile: Restricted.
Profile: Custom, excluding the weak cipher suites listed above.
Remediation Steps:
From Google Cloud Console:
Navigate to the SSL Policies page.
For each insecure policy:
Click its name to view details.
Click Edit.
Set the following:
Minimum TLS Version: TLS 1.2.
Profile: Modern or Restricted.
If using Custom, ensure the weak cipher suites are disabled.
Save the changes.
From Google Cloud CLI:
Update an insecure SSL policy:
gcloud compute ssl-policies update NAME \ --profile=[COMPATIBLE|MODERN|RESTRICTED|CUSTOM] \ --min-tls-version=TLS_1_2 \ --custom-features=FEATURES
Attach the updated SSL policy to the target proxy:
gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME gcloud compute target-https-proxies update TARGET_HTTPS_PROXY_NAME --ssl-policy SSL_POLICY_NAME
Min TLS Version: TLS 1.0
Profile: Compatible