Detect GCP Load Balancer Configuration Changes

Trend Micro Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected configuration changes made at the Load Balancing service level, in your GCP account.
Google Cloud Load Balancing is a fully managed, high performance, scalable load balancing service provided by Google Cloud Platform (GCP). With Google Cloud Load Balancing you can easily create and configure your own load balancers in order to distribute user traffic across the multiple instances that are running your web applications.
As a security best practice, you need to be aware of all the configuration changes made at the Load Balancing service level, changes such as creating a forwarding rule or updating a specified backend service resource for a load balancer. A backend service defines how a load balancer distributes traffic while a forwarding rule (and its associated IP address) represents the frontend configuration of a load balancer. Because these configuration settings define how your load balancer behaves, it is imperative to monitor them in real time.
The activity detected by the Trend Micro Cloud One™ – Conformity RTMA feature could be, for example, a user action initiated through the Google Cloud Console or an API request initiated programmatically using gcloud CLI, that triggers any of the following operational events:

• "forwardingRules.insert" – Creates a forwarding rule in the specified GCP project and region using the data included in the request.
• "forwardingRules.patch" – Updates the specified forwarding rule with the data included in the request. This method supports "PATCH" semantics and uses the JSON merge patch format and processing rules.
• "backendServices.insert" – Creates a backend service resource in the specified GCP project using the data included in the request.
• "backendServices.patch" – Patches the specified backend service with the data included in the request. This method supports "PATCH" semantics and uses the JSON merge patch format and processing rules.

If a backend service or a forwarding rule is created and/or modified by an inexperienced user, it can allow attackers to identify possible vulnerabilities and attempt to exploit them to their own advantage. To adhere to Google Cloud security best practices and implement the Principle of Least Privilege (i.e. the practice of providing every user/process/system the minimal amount of access required to successfully perform its tasks), Trend Micro Cloud One™ – Conformity strongly recommends that you avoid as much as possible to provide your GCP users (except administrators or authorized personnel) the permission to change the load balancer configuration within your GCP account.
The communication channels for sending RTMA notifications can be quickly configured in your Conformity account. The list of supported communication channels that you can use to receive notification alerts for Load Balancing configuration changes are SMS, Email, Slack, PagerDuty, ServiceNow, and Zendesk.

This rule resolution is part of the Conformity solution.