Ensure SSL policies enforce minimum TLS 1.2 for HTTPS proxies

Google Cloud Remediation

Service-wide fix (recommended): standardize a small set of approved SSL policies and attach them to every external HTTPS proxy and proxy Network Load Balancer that should not accept legacy TLS.

When to use service-wide remediation

Use the service-wide path when the same SSL policy can be shared across many proxies.

Google Cloud console

1. Open Network security -> SSL policies.
2. Edit the affected policy or create a new approved policy.
3. Set the minimum TLS version to TLS 1.2.
4. Prefer the MODERN profile unless you have a documented compatibility requirement.
5. Attach the policy to the affected target HTTPS or target SSL proxies.

Google Cloud CLI

Update the SSL policy:

gcloud compute ssl-policies update <policy-name> \
  --min-tls-version=1.2 \
  --profile=MODERN

Attach it to a target HTTPS proxy:

gcloud compute target-https-proxies update <proxy-name> \
  --ssl-policy=<policy-name>

Validate the policy:

gcloud compute ssl-policies describe <policy-name>

Operational notes

• This control also flags the COMPATIBLE profile because it usually keeps older cipher support for broad backward compatibility. Only keep it if you have a documented client compatibility requirement.
• Updating the policy alone is not enough if the affected proxy is still attached to a different SSL policy.

References

• https://cloud.google.com/load-balancing/docs/use-ssl-policies
• https://cloud.google.com/sdk/gcloud/reference/compute/ssl-policies/update
• https://docs.cloud.google.com/sdk/gcloud/reference/compute/target-https-proxies/update
• https://docs.cloud.google.com/compute/docs/reference/rest/v1/sslPolicies