Skip to content

SSL policies should enforce secure versions of TLS

Default Severity: critical

Explanation

TLS versions prior to 1.2 are outdated and insecure. You should use 1.2 as aminimum version.

Possible Impact

Data in transit is not sufficiently secured

Suggested Resolution

Enforce a minimum TLS version of 1.2

Insecure Example

The following example will fail the google-compute-use-secure-tls-policy check.

 resource "google_compute_ssl_policy" "bad_example" {
   name    = "production-ssl-policy"
   profile = "MODERN"
   min_tls_version = "TLS_1_1"
 }

Secure Example

The following example will pass the google-compute-use-secure-tls-policy check.

 resource "google_compute_ssl_policy" "good_example" {
   name    = "production-ssl-policy"
   profile = "MODERN"
   min_tls_version = "TLS_1_2"
 }