Load balancer is not configured for TLS/SSL Affecting Compute Engine service in Google


Severity

0.0
critical
0
10
Severity Framework
Snyk CCSS
Rule category
Network/ Certificates

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
  • Snyk IDSNYK-CC-00805
  • creditSnyk Research Team

Description

Enforcing TLS/SSL on load balancers mitigates the risk of data interception and man-in-the-middle attacks by encrypting data in transit. Without TLS/SSL, sensitive information can be exposed to unauthorized entities, compromising data confidentiality and integrity.

How to fix?

Set the ssl_certificates and certificate_manager_certificates attribute for the resources google_compute_target_https_proxy and google_compute_region_target_https_proxy to a valid SSL certificate Id and certificate manager certificate Id.

For google_compute_target_http_proxy and google_compute_region_target_http_proxy we recommend updating to google_compute_target_https_proxy or google_compute_region_target_https_proxy respectively.

Example Configuration

resource "google_compute_target_https_proxy" "allow1" {
  name             = "test-proxy1"
  url_map          = google_compute_url_map.url_map.id
  ssl_certificates = [google_compute_managed_ssl_certificate.managed_ssl.id]
}

resource "google_compute_target_https_proxy" "allow3" {
  name             = "test-proxy3"
  url_map          = google_compute_url_map.url_map3.id
  certificate_manager_certificates = ["//certificatemanager.googleapis.com/${google_certificate_manager_certificate.self_managed1.id}"] 
}

resource "google_compute_region_target_https_proxy" "allow4" {
  region           = "us-central1"
  name             = "test-proxy4"
  url_map          = google_compute_region_url_map.url_map4.id
  ssl_certificates = [google_compute_region_ssl_certificate.self_managed2.id]
}

resource "google_compute_region_target_https_proxy" "allow5" {
  name                             = "test-proxy5"
  url_map                          = google_compute_region_url_map.url_map5.id
  certificate_manager_certificates =  ["//certificatemanager.googleapis.com/${google_certificate_manager_certificate.self_managed3.id}"] 
}