Restrict TLS cipher suites
This page describes how you can prevent access to Google Cloud resources by denying requests made using certain less secure Transport Layer Security (TLS) cipher suites.
Overview
Google Cloud supports multiple TLS cipher suites. To meet security or compliance requirements, you may want to deny requests from clients that use less secure TLS cipher suites.
This capability is provided by the gcp.restrictTLSCipherSuites
organization policy constraint.
The constraint can be applied on organizations, folders, or projects in the
resource hierarchy.
You can use the gcp.restrictTLSCipherSuites constraint either as an allow list
or as a deny list:
- Allow list: Allows a specific set of cipher suites. All others are denied.
- Deny list: Denies a specific set of cipher suites. All others are allowed.
Due to the behavior of organization policy hierarchy evaluation, the Restrict TLS cipher suites constraint applies to the specified resource node and all of its children. For example, if you only allow certain TLS cipher suites for an organization, it also applies for all folders and projects (children) that descend from that organization.
Before you begin
To get the permissions that
you need to set, change, or delete organization policies,
ask your administrator to grant you the
Organization policy administrator (roles/orgpolicy.policyAdmin) IAM role on the organization.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Setting the organization policy
The Restrict TLS cipher suites constraint is a type of list constraint. You can add and
remove cipher suites from the allowed_values or denied_values lists of a
Restrict TLS cipher suites constraint. To prevent organization policies from being too
restrictive and to simplify policy management, use
value groups. Value groups are Google-curated recommended TLS
cipher suites.
Console
Open the Organization policies page in the Google Cloud console.
Select the project picker at the top of the page.
From the project picker, select the resource for which you want to set the organization policy.
Select the Restrict TLS cipher suites constraint from the list on the Organization policies page.
To update the organization policy for this resource, click Manage policy.
On the Edit page, select Customize.
Under Policy enforcement, select an enforcement option:
To merge and evaluate your organization policies together, select Merge with parent. For more information about inheritance and the resource hierarchy, see Understanding hierarchy evaluation.
To override policies inherited from a parent resource, select Replace.
Click Add rule.
Under Policy values, select Custom.
Under Policy type, select Allow to create a list of allowed cipher suites, or select Deny to create a list of denied cipher suites.
Under Custom values, enter the
in:prefix and a value group string, then press Enter.For example,
in:NIST-800-52-recommended-ciphers. You can enter multiple value group strings by clicking Add value.You can also enter specific cipher suites strings using the
is:prefix. For a list of supported values, see supported cipher suites.
To enforce the policy, click Set policy.
gcloud
To create an organization policy that enforces the Restrict TLS Cipher Suites constraint, create a policy YAML file that references the constraint:
constraint: constraints/gcp.restrictTLSCipherSuites
listPolicy:
allowedValues:
- in:CNSA-2.0-recommended-ciphers
- is:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
To enforce the organization policy containing the constraint, run the following command:
gcloud resource-manager org-policies set-policy \ --RESOURCE_TYPE RESOURCE_ID \ POLICY_PATH
Replace the following:
RESOURCE_TYPEwithorganization,folderorproject.RESOURCE_IDwith your organization ID, folder ID, project ID, or project number.POLICY_PATHwith the full path to the YAML file containing the organization policy.
A response is returned with the results of the new organization policy:
constraint: constraints/gcp.restrictTLSCipherSuites etag: COS9qr0GELii6o0C listPolicy: allowedValues: - in:CNSA-2.0-recommended-ciphers - is:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA updateTime: '2025-02-11T00:50:44.565875Z'
Value groups
Value groups are collections of cipher suites that are curated by Google to provide a simpler way to define preferred or recommended TLS cipher suites. Value groups include multiple cipher suites and are expanded over time by Google. You don't need to change your organization policy to accommodate the new cipher suites.
To use value groups in your organization policy, prefix your entries with the
string in:. For more information on using value prefixes, see
Using Constraints.
Value group names are validated on the call to set the organization policy.
Using an invalid group name will cause the policy setting to fail.
The following table contains the current list of available groups:
| Group | Details | Direct members |
|---|---|---|
| CNSA-2.0-recommended-ciphers | CNSA 2.0 recommended ciphers supported by Google Cloud:in:CNSA-2.0-recommended-ciphers |
Values:
|
| NIST-800-52-recommended-ciphers | NIST SP 800-52 recommended ciphers supported by Google Cloud:in:NIST-800-52-recommended-ciphers |
Values:
|
Supported cipher suites
This is the list of cipher suites supported by Google Cloud.
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
Error message
Services that support the Restrict TLS cipher suites constraint deny requests that violate the constraint.
Example error message
The error message has a format similar to the following example:
Request is disallowed by organization's constraints/gcp.restrictTLSCipherSuites constraint for 'projects/PROJECT_NUMBER'. Access to service 'SERVICE_NAME.googleapis.com' attempted with a disallowed TLS Cipher Suite: 'TLS_Cipher_Suite_X` To access this resource, please use an allowed TLS Cipher Suite.
This output includes the following values:
PROJECT_NUMBER: the project number hosting the resource referred in the earlier command.SERVICE_NAME: the name of the in-scope service blocked by the Restrict TLS cipher suites policy.TLS_Cipher_Suite_X: the TLS Cipher suite used in the request.
Example Cloud Audit Log
An audit log entry is also generated for further monitoring, alerting, or debugging. The audit log entry looks similar to the following example:
{ logName: "projects/my-project-number/logs/cloudaudit.googleapis.com%2Fpolicy" protoPayload: { @type: "type.googleapis.com/google.cloud.audit.AuditLog" status: { code: 7 message: "Request is disallowed by organization's TLS Cipher Suite Restriction Org Policy for 'projects/my-project-number'. Attempting to use service 'bigquery.googleapis.com' with a disallowed TLS Cipher Suite: 'TLS_Cipher_Suite_X`." } serviceName: "bigquery.googleapis.com" methodName: "google.cloud.bigquery.v2.TableDataService.InsertAll" resourceName: "projects/my-project-number" authenticationInfo: { principalEmail: "[email protected]" } } requestMetadata: { callerIp: "123.123.123.123" } policyViolationInfo: { orgPolicyViolationInfo: { violationInfo: [ { constraint: "constraints/gcp.restrictTlsCipherSuites" errorMessage: "TLS Cipher Suite Restriction Org Policy is violated" policyType: "LIST_CONSTRAINT" } ] } } resource: { type: "audited_resource" labels: { project_id: "my-project-number" method: "google.cloud.bigquery.v2.TableDataService.InsertAll" service: "bigquery.googleapis.com" } } severity: "ERROR" timestamp: "2023-10-27T19:27:24.633477924Z" receiveTimestamp: "2023-10-27T19:27:25.071941737Z" insertId "42" }
Test the policy
You can test the TLS cipher restriction policy constraint for any
in-scope service. The following example curl command
validates the Restrict TLS cipher suites for a Cloud Key Management Service key ring.
curl --ciphers TLS_CIPHER_SUITE --tls_max 1.2 -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://cloudkms.googleapis.com/v1/projects/PROJECT_ID/locations/global/keyRings" --verbose
Replace the following variables:
TLS_CIPHER_SUITE: the TLS cipher suite name in OpenSSL naming convention, for exampleECDHE-ECDSA-AES128-SHAwhich is the OpenSSL name forTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA.PROJECT_ID: Name of the project containing the key ring
The following example curl request shows PROJECT_ID set to
my-project-id and TLS_CIPHER_SUITE set to ECDHE-ECDSA-AES128-SHA:
curl --ciphers ECDHE-ECDSA-AES128-SHA --tls-max 1.2 \ GET -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://cloudkms.googleapis.com/v1/projects/my-project-id/locations/global/keyRings" --verbose
If the organization policy for 'my-project-id' is configured to deny
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA , then any attempt to access resources
with the cipher in the policy-restricted project in this example command fails.
An error message similar to the following example is returned that describes the
reason for this failure.
Request is disallowed by organization's constraints/gcp.restrictTLSCipherSuites constraint for 'projects/my-project-id'. Access to service cloudkms.googleapis.com attempted with a disallowed TLS Cipher Suite: `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`. To access this resource, please use an allowed TLS Cipher Suite.
Create an organization policy in dry-run mode
An organization policy in dry-run mode is a type of organization policy where violations of the policy are audit logged, but the violating actions aren't denied. You can create an organization policy in dry-run mode using the TLS Cipher Suite Restriction constraint to monitor how it would affect your organization before you enforce the live policy. For more information, see Create an organization policy in dry-run mode.
Supported services
The following services support Restrict TLS cipher suites. The constraint applies to all variations of the API endpoint including global, locational, and regional endpoints. See the API endpoint types page for more information.
| Product | API endpoint |
|---|---|
| API Gateway |
apigateway.googleapis.com |
| API keys |
apikeys.googleapis.com |
| Access Context Manager |
accesscontextmanager.googleapis.com |
| Apigee |
apigee.googleapis.com |
| Apigee API hub |
apihub.googleapis.com |
| Apigee API Management API |
apim.googleapis.com |
| Apigee Connect API |
apigeeconnect.googleapis.com |
| Apigee portal API |
apigeeportal.googleapis.com |
| Apigee Registry API |
apigeeregistry.googleapis.com |
| App Config Manager API |
appconfigmanager.googleapis.com |
| Application Design Center |
designcenter.googleapis.com |
| Application Integration |
integrations.googleapis.com |
| Artifact Analysis |
containeranalysis.googleapis.com ondemandscanning.googleapis.com |
| Artifact Registry |
artifactregistry.googleapis.com |
| Assured Open Source Software |
assuredoss.googleapis.com |
| Assured Workloads |
assuredworkloads.googleapis.com |
| Audit Manager |
auditmanager.googleapis.com |
| Authorization Toolkit API |
authztoolkit.googleapis.com |
| Batch |
batch.googleapis.com |
| Chrome Enterprise Premium |
beyondcorp.googleapis.com |
| BigLake |
biglake.googleapis.com |
| BigQuery |
bigquery.googleapis.com |
| BigQuery Connections |
bigqueryconnection.googleapis.com |
| BigQuery Data Policy |
bigquerydatapolicy.googleapis.com |
| BigQuery Data Transfer |
bigquerydatatransfer.googleapis.com |
| BigQuery Migration |
bigquerymigration.googleapis.com |
| BigQuery Reservation |
bigqueryreservation.googleapis.com |
| BigQuery Saved Query API |
bigquery-sq.googleapis.com |
| BigQuery Storage |
bigquerystorage.googleapis.com |
| Bigtable |
bigtable.googleapis.com bigtableadmin.googleapis.com |
| Binary Authorization |
binaryauthorization.googleapis.com |
| Blockchain Analytics |
blockchain.googleapis.com |
| Blockchain Node Engine |
blockchainnodeengine.googleapis.com |
| Blockchain Validator Manager |
blockchainvalidatormanager.googleapis.com |
| Capacity Planner |
capacityplanner.googleapis.com |
| Certificate Authority Service |
privateca.googleapis.com |
| Certificate Manager |
certificatemanager.googleapis.com |
| Cloud Asset Inventory |
cloudasset.googleapis.com |
| Cloud Build |
cloudbuild.googleapis.com |
| Cloud CDN |
compute.googleapis.com |
| Cloud Commerce Producer API |
cloudcommerceproducer.googleapis.com |
| Cloud Composer |
composer.googleapis.com |
| Cloud Controls Partner API |
cloudcontrolspartner.googleapis.com |
| Cloud DNS |
dns.googleapis.com |
| Cloud Data Fusion |
datafusion.googleapis.com |
| Cloud Deployment Manager |
runtimeconfig.googleapis.com deploymentmanager.googleapis.com |
| Cloud Domains |
domains.googleapis.com |
| Cloud Healthcare API |
healthcare.googleapis.com |
| Cloud Interconnect |
compute.googleapis.com |
| Cloud Intrusion Detection System |
ids.googleapis.com |
| Cloud Key Management Service |
cloudkms.googleapis.com |
| Cloud Life Sciences |
lifesciences.googleapis.com |
| Cloud Load Balancing |
compute.googleapis.com |
| Cloud Logging |
logging.googleapis.com |
| Cloud Monitoring |
monitoring.googleapis.com |
| Cloud NAT |
compute.googleapis.com |
| Cloud Natural Language API |
language.googleapis.com |
| Cloud Next Generation Firewall Essentials |
compute.googleapis.com networksecurity.googleapis.com |
| Cloud Next Generation Firewall Standard |
compute.googleapis.com networksecurity.googleapis.com |
| Cloud OS Login API |
oslogin.googleapis.com |
| Cloud Router |
compute.googleapis.com |
| Cloud Run |
run.googleapis.com |
| Cloud SQL |
sqladmin.googleapis.com |
| Cloud Service Mesh |
meshconfig.googleapis.com networksecurity.googleapis.com |
| Cloud Support API |
cloudsupport.googleapis.com |
| Cloud Tool Results API |
toolresults.googleapis.com |
| Cloud VPN |
compute.googleapis.com |
| Cloud Workstations |
workstations.googleapis.com |
| Commerce Agreement Publishing API |
commerceagreementpublishing.googleapis.com |
| Commerce Business Enablement API |
commercebusinessenablement.googleapis.com |
| Commerce Price Management API |
commercepricemanagement.googleapis.com |
| Compute Engine |
compute.googleapis.com |
| Confidential Computing |
confidentialcomputing.googleapis.com |
| Connect |
gkeconnect.googleapis.com |
| Connect gateway |
connectgateway.googleapis.com |
| Contact Center AI Platform API |
contactcenteraiplatform.googleapis.com |
| Container Threat Detection |
containerthreatdetection.googleapis.com |
| Content Warehouse API |
contentwarehouse.googleapis.com |
| Continuous Validation API |
continuousvalidation.googleapis.com |
| Data Labeling API |
datalabeling.googleapis.com |
| Data Security Posture Management API |
dspm.googleapis.com |
| Database Migration Service |
datamigration.googleapis.com |
| Dataflow |
dataflow.googleapis.com |
| Dataproc on GDC |
dataprocgdc.googleapis.com |
| Google Distributed Cloud |
opsconfigmonitoring.googleapis.com gdcvmmanager.googleapis.com gdchardwaremanagement.googleapis.com |
| Distributed Cloud Edge Container API |
edgecontainer.googleapis.com |
| Distributed Cloud Edge Network API |
edgenetwork.googleapis.com |
| Enterprise Knowledge Graph |
enterpriseknowledgegraph.googleapis.com |
| Error Reporting |
clouderrorreporting.googleapis.com |
| Essential Contacts |
essentialcontacts.googleapis.com |
| Eventarc |
eventarc.googleapis.com |
| Filestore |
file.googleapis.com |
| Financial Services API |
financialservices.googleapis.com |
| Firebase App Hosting |
firebaseapphosting.googleapis.com |
| Firebase Data Connect |
firebasedataconnect.googleapis.com |
| Firebase Security Rules |
firebaserules.googleapis.com |
| GKE Dataplane Management |
gkedataplanemanagement.googleapis.com |
| GKE Enterprise Edge API |
anthosedge.googleapis.com |
| GKE Multi-Cloud |
gkemulticloud.googleapis.com |
| GKE On-Prem API |
gkeonprem.googleapis.com |
| Gemini for Google Cloud API |
cloudaicompanion.googleapis.com |
| Google Cloud API |
cloud.googleapis.com |
| Google Cloud Armor |
compute.googleapis.com |
| Google Cloud Migration Center |
migrationcenter.googleapis.com |
| Google Cloud Observability |
stackdriver.googleapis.com |
| Google Kubernetes Engine |
container.googleapis.com configdelivery.googleapis.com |
| Google Security Operations SIEM |
chronicle.googleapis.com chronicleservicemanager.googleapis.com |
| Google Security Operations Partner API |
chroniclepartner.googleapis.com |
| Google Workspace add-ons |
gsuiteaddons.googleapis.com |
| Identity and Access Management |
iam.googleapis.com |
| Identity-Aware Proxy |
iap.googleapis.com |
| Immersive Stream |
stream.googleapis.com |
| Infrastructure Manager |
config.googleapis.com |
| Integration Connectors |
connectors.googleapis.com |
| KRM API Hosting |
krmapihosting.googleapis.com |
| Live Stream API |
livestream.googleapis.com |
| BigQuery Engine for Apache Flink |
managedflink.googleapis.com |
| Managed Kafka API |
managedkafka.googleapis.com |
| Media Asset Manager |
mediaasset.googleapis.com |
| Memorystore for Memcached |
memcache.googleapis.com |
| Memorystore for Redis |
redis.googleapis.com |
| Message Streams API |
messagestreams.googleapis.com |
| Microservices API |
microservices.googleapis.com |
| Model Armor |
modelarmor.googleapis.com |
| Network Connectivity Center |
networkconnectivity.googleapis.com |
| Network Intelligence Center |
networkmanagement.googleapis.com |
| Network Service Tiers |
compute.googleapis.com |
| Persistent Disk |
compute.googleapis.com |
| Oracle Database@Google Cloud |
oracledatabase.googleapis.com |
| Parallelstore |
parallelstore.googleapis.com |
| Policy Analyzer |
policyanalyzer.googleapis.com |
| Policy Troubleshooter |
policytroubleshooter.googleapis.com |
| Progressive Rollout |
progressiverollout.googleapis.com |
| Pub/Sub |
pubsub.googleapis.com |
| Public Certificate Authority |
publicca.googleapis.com |
| Recommender |
recommender.googleapis.com |
| Remote Build Execution |
remotebuildexecution.googleapis.com |
| Retail API |
retail.googleapis.com |
| Cyber Insurance Hub |
riskmanager.googleapis.com |
| SaaS Service Management API |
saasservicemgmt.googleapis.com |
| SecLM API |
seclm.googleapis.com |
| Secret Manager |
secretmanager.googleapis.com |
| Security Command Center |
securitycenter.googleapis.com securitycentermanagement.googleapis.com securityposture.googleapis.com |
| Cloud Data Loss Prevention |
dlp.googleapis.com |
| Service Account Credentials API |
iamcredentials.googleapis.com |
| Service Directory |
servicedirectory.googleapis.com |
| Service Networking |
servicenetworking.googleapis.com |
| Spanner |
spanner.googleapis.com |
| Speaker ID |
speakerid.googleapis.com |
| Speech-to-Text |
speech.googleapis.com |
| Storage Insights |
storageinsights.googleapis.com |
| Storage Transfer Service |
storagebatchoperations.googleapis.com |
| Text-to-Speech |
texttospeech.googleapis.com |
| Timeseries Insights API |
timeseriesinsights.googleapis.com |
| Transcoder API |
transcoder.googleapis.com |
| Transfer Appliance |
transferappliance.googleapis.com |
| VM Manager |
osconfig.googleapis.com |
| Vertex AI API |
aiplatform.googleapis.com |
| Vertex AI Workbench |
notebooks.googleapis.com |
| Vertex AI in Firebase |
firebasevertexai.googleapis.com |
| Virtual Private Cloud (VPC) |
compute.googleapis.com |
| Video Search API |
cloudvideosearch.googleapis.com |
| Video Stitcher API |
videostitcher.googleapis.com |
| Web Risk |
webrisk.googleapis.com |
| Web Security Scanner |
websecurityscanner.googleapis.com |
| Workflows |
workflows.googleapis.com |
| Workload Certificate API |
workloadcertificate.googleapis.com |
Unsupported services
The Restrict TLS cipher suites organization policy constraint is not applicable for the following services:
- App Engine (
*.appspot.com) - Cloud Run functions (
*.cloudfunctions.net), - Cloud Run (
*.run.app) - Private Service Connect
- Custom domains
To restrict TLS cipher suites for these services, use Cloud Load Balancing along with SSL security policy.
Google Cloud cipher suite preference
Endpoints for supported services prioritize AES-256 over AES-128 over ChaCha20. Clients that support AES-256 should successfully negotiate to it without requiring any change in configuration.