Ensure in-transit encryption is enabled for Google App Engine Standard App Version

MEDIUM

Description

Google App Engine has the ability to force HTTPS, which is a common best practice to help protect data in-transit. For more information on securing App Engine Apps, see the GCP documentation.
References:
https://cloud.google.com/appengine/docs/standard/application-security

Remediation

The handlers.security_level can be configured via an app's app.yaml file. After being manually changed, it can be applied in a GKE workload.

In Terraform -

In the resource google_app_engine_standard_app_version, set handlers.security_level attribute to SECURE.

References:
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/app_engine_standard_app_version#nested_handlers
https://cloud.google.com/appengine/docs/legacy/standard/python/config/appref#handlers_element

Policy Details

Rule Reference ID: AC_GCP_0287

CSP: GCP

Remediation Available: Yes

Domain: Infrastructure Security

Resource: google_app_engine_standard_app_version

Resource Category: Serverless

Resource Type: App Engine

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0