Restrict Load Balancer Creation Based on Load Balancer Types

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that only compliant load balancer types can be used to create Google Cloud load balancers for the GCP projects and folders within your organization. The list of allowed load balancer types can only include values from the following list: INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS, EXTERNAL_NETWORK_TCP_UDP, EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, EXTERNAL_HTTP_HTTPS. To include all internal or all external load balancer types, use the in: prefix followed by INTERNAL or EXTERNAL. Every load balancer type to be allowed must be defined explicitly in the conformity rule settings, on the Trend Micro Cloud One™ – Conformity account console.

Security

By default, creation of all types of Google Cloud load balancers is allowed. However, strict internal compliance requirements may prohibit the creation of load balancers of any type. By enforcing the "Restrict Load Balancer Creation Based on Load Balancer Types" constraint policy, you can easily control which types of load balancers can be deployed within your GCP organization.


Audit

To determine if the creation of load balancers at the GCP organization level is restricted based on the load balancer types, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the complete list of the cloud organization policies available for your GCP organization.

05 Click inside the Filter by policy name or ID filter box, select Name and Restrict Load Balancer Creation Based on Load Balancer Types to return the "Restrict Load Balancer Creation Based on Load Balancer Types" policy.

06 Click on the name of the GCP organization policy returned at the previous step.

07 On the Policy details page, under Effective policy, check the Allowed configuration attribute value. If the Allowed attribute value is set to All, the "Restrict Load Balancer Creation Based on Load Balancer Types" policy constraints are not enforced within your GCP organization, therefore the creation of all types of load balancers is allowed.

08 Repeat steps no. 2 – 7 for each organization available in your Google Cloud account.

Using GCP CLI

01 Run organizations list command (Windows/macOS/Linux) using custom query filters to list the ID of each organization available within your Google Cloud account:

gcloud organizations list
    --format="table(name)"

02 The command output should return the requested organization identifiers (IDs):

ID
112233441122
123412341234

03 Run resource-manager org-policies describe command (Windows/macOS/Linux) using the ID of the GCP organization that you want to examine as identifier parameter, to describe the enforcement configuration of the "Restrict Load Balancer Creation Based on Load Balancer Types" policy (i.e. "compute.restrictLoadBalancerCreationForTypes" constraint), available for the selected organization:

gcloud alpha resource-manager org-policies describe
"compute.restrictLoadBalancerCreationForTypes"
    --effective
    --organization=112233441122
    --format="value(listPolicy.allValues)"

04 The command request should return the requested configuration information:

ALLOW

If the resource-manager org-policies describe command output returns ALLOW, the "Restrict Load Balancer Creation Based on Load Balancer Types" policy constraints are not enforced within your GCP organization, therefore the creation of all types of load balancers is allowed.

05 Repeat step no. 3 and 4 for each organization created within your Google Cloud account.

Remediation / Resolution

To enforce the creation of Google Cloud load balancers of certain (compliant) types only, enable and configure the "Restrict Load Balancer Creation Based on Load Balancer Types" organization policy by performing the following operations:

Using GCP Console

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access Restrict Load Balancer Creation Based on Load Balancer Types conformity rule settings and note the list of allowed load balancer types.

02 Sign in to Google Cloud Management Console with the organizational unit credentials.

03 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to reconfigure.

04 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

05 In the navigation panel, select Organization Policies to access the list with the cloud organization policies available for your organization.

06 Click inside the Filter by policy name or ID filter box, select Name and Define trusted image projects to return only the "Define Trusted Image Projects" policy.

07 Click on the name of the GCP organization policy returned at the previous step.

08 On the Policy details page, click on the EDIT button from the dashboard top menu to edit the selected policy.

09 On the Edit policy configuration page, perform the following actions:

  1. Under Applies to, select Customize to choose the type of the policy to apply (i.e. customized policy).
  2. To override the inherited policies completely, select Replace under Policy enforcement.
  3. To use explicit values, select Custom from the Policy values dropdown list.
  4. For Policy type, select Allow to specify that the listed values will be the only allowed values, and all other values will be denied.
  5. In the Custom values section, use the configuration controls to specify the load balancer type(s) allowed to be used within your GCP organization, identified at step no. 1. The list of allowed load balancer types can include only the following values: INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS, EXTERNAL_NETWORK_TCP_UDP, EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, EXTERNAL_HTTP_HTTPS. To include all internal or all external load balancer types, use the in: prefix followed by INTERNAL or EXTERNAL string. For example, using in:INTERNAL will allow all load balancer types from the above list that include INTERNAL.
  6. (Optional) To set a recommendation for other users, click SET RECOMMENDATION, enter a string value into the Recommended value text box, and click SET to apply the recommendation. This string value will be displayed in the Google Cloud console to provide guidance to users about this organization policy. This is just a communication tool, and does not affect the policy configuration.
  7. Click SAVE to apply the changes and enforce the "Restrict Load Balancer Creation Based on Load Balancer Types" organization policy.

10 If required, repeat steps no. 3 – 9 to enable the constraint policy for other organizations available in your Google Cloud account.

Using GCP CLI

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access Restrict Load Balancer Creation Based on Load Balancer Types conformity rule settings and note the list of allowed load balancer types.

02 Define the "Restrict Load Balancer Creation Based on Load Balancer Types" policy constraints and save the YAML policy document to a file named cc-allowed-load-balancer-types.yaml. Use the list of allowed load balancer types identified at step no. 1 to configure the allowed_values list. To include all internal or all external load balancer types, use the in: prefix followed by INTERNAL or EXTERNAL string. For example, using in:INTERNAL will allow all load balancer types from the above list that include INTERNAL. The following policy example allows the creation of Google Cloud load balancers of INTERNAL_HTTP_HTTPS type only:

constraint: constraints/compute.restrictLoadBalancerCreationForTypes
listPolicy:
  allowed_values:
    INTERNAL_HTTP_HTTPS

03 Run resource-manager org-policies set-policy command (Windows/macOS/Linux) using the ID of the Google Cloud Platform (GCP) organization that you want to reconfigure as identifier parameter, to enforce the "Restrict Load Balancer Creation Based on Load Balancer Types" policy (i.e. "compute.restrictLoadBalancerCreationForTypes" constraint), using the policy document defined at the previous step, for the selected organization:

gcloud beta resource-manager org-policies set-policy cc-allowed-load-balancer-types.yaml
    --organization=112233441122

04 The command request should return the enforced organization policy metadata:

constraint: constraints/compute.restrictLoadBalancerCreationForTypes
etag: abcdabcdabcd
listPolicy:
  allowedValues:
  - INTERNAL_HTTP_HTTPS
updateTime: '2020-09-14T10:00:00.000Z'

05 If required, repeat step no. 3 and 4 to enforce the required policy for other organizations created within your Google Cloud account.

References

Publication date May 10, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Restrict Load Balancer Creation Based on Load Balancer Types

Risk level: Medium