Control: 2.16 Ensure Logging is enabled for HTTP(S) Load Balancer
Description
Logging enabled on a HTTPS Load Balancer will show all network traffic and its destination.
Logging will allow you to view HTTPS network traffic to your web applications.
Remediation
From Console
- From Google Cloud home open the Navigation Menu in the top left.
- Under the
Networking
heading selectNetwork services
. - Select the HTTPS load-balancer you wish to audit.
- Select
Edit
thenBackend Configuration
. - Select
Edit
on the corresponding backend service. - Click
Enable Logging
. - Set
Sample Rate
to a desired value. This is a percentage as a decimal point. 1.0 is 100%.
From Command Line
- Run the following command
gcloud compute backend-services update <serviceName> --region=REGION --enable-logging --logging-sample-rate=<percentageAsADecimal>
Default Value
By default logging for https load balancing is disabled. When logging is enabled it sets the default sample rate as 1.0 or 100%. Ensure this value fits the need of your organization to avoid high storage costs.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v300_2_16
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v300_2_16 --share
SQL
This control uses a named query:
compute_https_load_balancer_logging_enabled