Risk Level: Medium
Description
This module guarantees that your load balancing backend administrations are designed to log HTTP(S) traffic. HTTP(S) load adjusting log passages contain data valuable for observing and investigating web traffic. Google Cloud trades this logging information to the Cloud Monitoring administration so that observing measurements can be made to assess a load balancer's design, use, and execution, investigate issues, and further develop asset use and client experience
About the Service
Google Cloud Load Balancing:
According to Google services, the Google Cloud offers server-side load balancing so you can distribute incoming traffic across multiple virtual machine (VM) instances. Detect and automatically remove unhealthy VM instances using health checks. Instances that become healthy again are automatically re-added. Google's global load balancer knows where the clients are located and directs packets to the closest web service, providing low latency to users while using a single virtual IP (VIP). Using a single VIP means we can increase the time to live (TTL) of our DNS records, which further reduces latency. To know more about GCP Cloud Load Balancing click here.
Impact
HTTP(S) load adjusting log passages contain data valuable for checking and investigating web traffic. Google Cloud sends out this logging information to Cloud Monitoring administration so that checking measurements can be made to assess a heap balancer's arrangement, use, and execution, investigate issues, and further develop asset use and client experience. Thus, ensuring that your Google Cloud Platform (GCP) load adjusting backend administrations are designed to log HTTP(S) traffic.
Steps to Reproduce
Using GCP Console-
In order to ensure or determine, if your Google Cloud Platform (GCP) service Load Balancing backend services are logging HTTP(S) web traffic, follow the steps mentioned below:
- Firstly, use the administrator account for signing up to Google Cloud Platform Console.
- Now, from the top navigation bar, select the GCP Project you want to investigate in.
- From the Navigation Menu on the left, you may find the Networking section.
- Click on the Network Services subsection under Networking.
- Under the Network Services navigation panel, you may find Load Balancing as shown in the figure below.
- Click on the Load Balancing navigation link and a Cloud Load Balancing Page will appear on the screen. Click to open directly from here.
- On the Load Balancing Page, click on the Load Balancers nav link, present at the top of the navigation bar. This is to access the list of all the load balancers present within the Google Cloud Load Balancers in your GCP Project.
- The list of all the load balancers will be displayed. Choose the name of Load Balancer you want to examine for.
- A new page with all the details of that load balancer will be opened up.
- Now, Click on the Details tab and check for the Logging Configuration attribute value set for the backend service under the Backend Section.
- Click on Advanced Configurations present at the bottom of the Backend Services option.
- Check for the Logging Configuration attribute value set for the backend service under the Backend Section.
- In case, the value of the Logging attribute is set to Disabled, then the HTTP(S) logging is not enabled for that particular load balancer in your current GCP project.
- You may repeat steps 8-11 for other load balancers in your GCP Project.
- You may repeat the above-mentioned steps to check for the other GCP projects/folders in your organization.
Steps for Remediation
Using GCP Console-
In order to enable logging HTTP(S) web traffic in your Google Cloud Platform (GCP) service Load Balancing backend services, follow the steps mentioned below::
- Firstly, use the administrator account for signing up to Google Cloud Platform Console.
- Now, from the top navigation bar, select the GCP Project you want to investigate in.
- From the Navigation Menu on the left, you may find the Networking section.
- Click on the Network Services subsection under Networking.
- Under the Network Services navigation panel, you may find Load Balancing as shown in the figure below.
- Click on the Load Balancing navigation link and a Cloud Load Balancing Page will appear on the screen. Click to open directly from here.
- On the Load Balancing Page, click on the Load Balancers nav link, present at the top of the navigation bar. This is to access the list of all the load balancers present within the Google Cloud Load Balancers in your GCP Project.
- The list of all the load balancers will be displayed. Choose the name of Load Balancer you want to examine for.
- A new page with all the details of that load balancer will be opened up.
- Click on the Edit button available on the top navigation bar. On the Edit HTTPS load balancer page, select the Backend Configuration Tab present at the left panel.
- Under the Backend Configuration, click on the little Pencil icon available next to the name of Backend Service. This will open up the Edit page.
- Under the Edit Backend Service configuration panel, under Logging, click on Enable Logging checkbox.
- Now, set the Sample rate fraction box to a value in the range 0.1 and 1.0. Click on the Update button to save your changes.
- Now, go back to the Edit page and click on the Update button to reconfigure the settings.
- You may repeat steps 8-14 for other load balancers in your GCP Project.
- You may repeat the above-mentioned steps to check for the other GCP projects/folders in your organization.