Table: gcp_compute_ssl_policy - Query GCP Compute SSL Policies using SQL
A GCP Compute SSL Policy is a resource in Google Cloud Platform's Compute Engine that allows for the flexible configuration of SSL features. SSL Policies are used to control the features of SSL connections that proxy or load balancers negotiate, with the SSL policy being associated with a TargetHttpsProxy or TargetSslProxy resource. They are primarily used to control the minimum version of SSL/TLS protocol, as well as the SSL features that the proxy or load balancer negotiates.
Table Usage Guide
The gcp_compute_ssl_policy table provides comprehensive insights into SSL Policies within Google Cloud Platform's Compute Engine. As a security analyst, you can explore policy-specific details through this table, including minimum SSL version, profile, and custom features. Use this table to uncover information about SSL policies, such as their configurations, associated resources, and any potential security vulnerabilities due to outdated SSL versions or weak ciphers.
Examples
Basic info
Explore the basic information of your SSL policies in Google Cloud Platform to understand their configurations and ensure they are using the most secure version of TLS. This can help in maintaining the security standards and compliance of your infrastructure.
select name, id, self_link, min_tls_versionfrom gcp_compute_ssl_policy;select name, id, self_link, min_tls_versionfrom gcp_compute_ssl_policy;List SSL policies with minimum TLS version 1.2 and the MODERN profile
Determine the areas in which SSL policies are utilizing minimum TLS version 1.2 and the modern profile. This is useful to ensure that your network security is up to date and adheres to modern standards.
select name, id, min_tls_versionfrom gcp_compute_ssl_policywhere min_tls_version = 'TLS_1_2' and profile = 'MODERN';select name, id, min_tls_versionfrom gcp_compute_ssl_policywhere min_tls_version = 'TLS_1_2' and profile = 'MODERN';List SSL policies with the RESTRICTED profile
Determine the areas in which SSL policies adhere to a 'RESTRICTED' profile. This can be useful for maintaining security standards and ensuring compliance within your Google Cloud Platform environment.
select name, id, profilefrom gcp_compute_ssl_policywhere profile = 'RESTRICTED';select name, id, profilefrom gcp_compute_ssl_policywhere profile = 'RESTRICTED';List SSL policies with weak cipher suites
Discover the segments that have weak SSL policies enabled. This is particularly useful for identifying potential security vulnerabilities within your system.
select name, id, enabled_featurefrom gcp_compute_ssl_policy, jsonb_array_elements_text(enabled_features) as enabled_featurewhere profile = 'CUSTOM' and enabled_feature in( 'TLS_RSA_WITH_AES_128_GCM_SHA256', 'TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA' );select p.name, p.id, enabled_featurefrom gcp_compute_ssl_policy as p, json_each(enabled_features) as enabled_featurewhere profile = 'CUSTOM' and enabled_feature.value in( 'TLS_RSA_WITH_AES_128_GCM_SHA256', 'TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA' );Control examples
- 3.9 Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
- 3.9 Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
- 3.9 Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
- Ensure HTTPS target use latest TLS version
- Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Schema for gcp_compute_ssl_policy
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| creation_timestamp | timestamp with time zone | The creation timestamp of the resource. | |
| custom_features | jsonb | A list of features enabled when the selected profile is CUSTOM. | |
| description | text | A user-specified, human-readable description of the SSL policy. | |
| enabled_features | jsonb | A list of features enabled in the SSL policy. | |
| fingerprint | text | A hash of the contents stored in this object. An up-to-date fingerprint must be provided in order to update the SslPolicy. | |
| id | bigint | The unique identifier for the resource. | |
| kind | text | The type of the resource. Always compute#sslPolicy for SSL policies. | |
| location | text | The GCP multi-region, region, or zone in which the resource is located. | |
| min_tls_version | text | !=, = | The minimum version of SSL protocol that can be used by the clients to establish a connection with the load balancer. Valid values are TLS_1_0, TLS_1_1 and TLS_1_2. |
| name | text | = | A friendly name that identifies the resource. |
| profile | text | !=, = | Profile specifies the set of SSL features that can be used by the load balancer when negotiating SSL with clients. |
| project | text | The GCP Project in which the resource is located. | |
| self_link | text | The server-defined URL for the resource. | |
| title | text | Title of the resource. | |
| warnings | jsonb | A list of warning messages, if any potential misconfigurations are detected for this SSL policy. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcpYou can pass the configuration to the command with the --config argument:
steampipe_export_gcp --config '<your_config>' gcp_compute_ssl_policy