steampipe plugin install gcp

Table: gcp_compute_ssl_policy - Query GCP Compute SSL Policies using SQL

A GCP Compute SSL Policy is a resource in Google Cloud Platform's Compute Engine that allows for the flexible configuration of SSL features. SSL Policies are used to control the features of SSL connections that proxy or load balancers negotiate, with the SSL policy being associated with a TargetHttpsProxy or TargetSslProxy resource. They are primarily used to control the minimum version of SSL/TLS protocol, as well as the SSL features that the proxy or load balancer negotiates.

Table Usage Guide

The gcp_compute_ssl_policy table provides comprehensive insights into SSL Policies within Google Cloud Platform's Compute Engine. As a security analyst, you can explore policy-specific details through this table, including minimum SSL version, profile, and custom features. Use this table to uncover information about SSL policies, such as their configurations, associated resources, and any potential security vulnerabilities due to outdated SSL versions or weak ciphers.

Examples

Basic info

Explore the basic information of your SSL policies in Google Cloud Platform to understand their configurations and ensure they are using the most secure version of TLS. This can help in maintaining the security standards and compliance of your infrastructure.

select
name,
id,
self_link,
min_tls_version
from
gcp_compute_ssl_policy;
select
name,
id,
self_link,
min_tls_version
from
gcp_compute_ssl_policy;

List SSL policies with minimum TLS version 1.2 and the MODERN profile

Determine the areas in which SSL policies are utilizing minimum TLS version 1.2 and the modern profile. This is useful to ensure that your network security is up to date and adheres to modern standards.

select
name,
id,
min_tls_version
from
gcp_compute_ssl_policy
where
min_tls_version = 'TLS_1_2'
and profile = 'MODERN';
select
name,
id,
min_tls_version
from
gcp_compute_ssl_policy
where
min_tls_version = 'TLS_1_2'
and profile = 'MODERN';

List SSL policies with the RESTRICTED profile

Determine the areas in which SSL policies adhere to a 'RESTRICTED' profile. This can be useful for maintaining security standards and ensuring compliance within your Google Cloud Platform environment.

select
name,
id,
profile
from
gcp_compute_ssl_policy
where
profile = 'RESTRICTED';
select
name,
id,
profile
from
gcp_compute_ssl_policy
where
profile = 'RESTRICTED';

List SSL policies with weak cipher suites

Discover the segments that have weak SSL policies enabled. This is particularly useful for identifying potential security vulnerabilities within your system.

select
name,
id,
enabled_feature
from
gcp_compute_ssl_policy,
jsonb_array_elements_text(enabled_features) as enabled_feature
where
profile = 'CUSTOM'
and enabled_feature in(
'TLS_RSA_WITH_AES_128_GCM_SHA256',
'TLS_RSA_WITH_AES_256_GCM_SHA384',
'TLS_RSA_WITH_AES_128_CBC_SHA',
'TLS_RSA_WITH_AES_256_CBC_SHA',
'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
);
select
p.name,
p.id,
enabled_feature
from
gcp_compute_ssl_policy as p,
json_each(enabled_features) as enabled_feature
where
profile = 'CUSTOM'
and enabled_feature.value in(
'TLS_RSA_WITH_AES_128_GCM_SHA256',
'TLS_RSA_WITH_AES_256_GCM_SHA384',
'TLS_RSA_WITH_AES_128_CBC_SHA',
'TLS_RSA_WITH_AES_256_CBC_SHA',
'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
);

Schema for gcp_compute_ssl_policy

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
creation_timestamptimestamp with time zoneThe creation timestamp of the resource.
custom_featuresjsonbA list of features enabled when the selected profile is CUSTOM.
descriptiontextA user-specified, human-readable description of the SSL policy.
enabled_featuresjsonbA list of features enabled in the SSL policy.
fingerprinttextA hash of the contents stored in this object. An up-to-date fingerprint must be provided in order to update the SslPolicy.
idbigintThe unique identifier for the resource.
kindtextThe type of the resource. Always compute#sslPolicy for SSL policies.
locationtextThe GCP multi-region, region, or zone in which the resource is located.
min_tls_versiontext!=, =The minimum version of SSL protocol that can be used by the clients to establish a connection with the load balancer. Valid values are TLS_1_0, TLS_1_1 and TLS_1_2.
nametext=A friendly name that identifies the resource.
profiletext!=, =Profile specifies the set of SSL features that can be used by the load balancer when negotiating SSL with clients.
projecttext=, !=, ~~, ~~*, !~~, !~~*The GCP Project in which the resource is located.
self_linktextThe server-defined URL for the resource.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
titletextTitle of the resource.
warningsjsonbA list of warning messages, if any potential misconfigurations are detected for this SSL policy.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcp

You can pass the configuration to the command with the --config argument:

steampipe_export_gcp --config '<your_config>' gcp_compute_ssl_policy