GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Ensure Dataproc Clusters Encrypted Using CMEK
More Info:
Cloud services offer the ability to protect data related to those services using encryption keys managed by the customer within Cloud KMS. These encryption keys are called customer-managed encryption keys (CMEK). When you protect data in Google Cloud services with CMEK, the CMEK key is within your control.
Risk Level
Medium
Address
Security, Reliability
Compliance Standards
CISGCP, CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “Ensure Dataproc Clusters Encrypted Using CMEK” for GCP using GCP console, you can follow the below steps:
- Login to your GCP console.
- Navigate to the Dataproc Clusters page.
- Select the cluster for which you want to enable encryption.
- Click on the “Edit” button at the top of the page.
- Scroll down to the “Security” section.
- Under “Encryption”, select “Customer-managed key”.
- Choose the Cloud KMS key that you want to use for encryption.
- Click on the “Save” button at the bottom of the page.
Once you have completed these steps, your Dataproc cluster will be encrypted using the specified Cloud KMS key. This will ensure that your data is secure and protected from unauthorized access.
To remediate the misconfiguration “Ensure Dataproc Clusters Encrypted Using CMEK” in GCP using GCP CLI, you can follow the following steps:
- Open the Cloud Shell from the GCP console.
- Run the command
gcloud dataproc clusters list --region=REGIONto list all the Dataproc clusters in the specified region. - For each cluster in the list, run the command
gcloud dataproc clusters describe CLUSTER_NAME --region=REGIONto get the details of the cluster. - Check if the
encryptionConfigproperty is set toCMEKin the output of the above command. If it is not set toCMEK, then the cluster is not encrypted using CMEK. - To encrypt the cluster using CMEK, run the command
gcloud dataproc clusters update CLUSTER_NAME --region=REGION --update-encryption-config kmsKeyName=KEY_NAMEwhereKEY_NAMEis the name of the KMS key to be used for encryption. - After the cluster is updated, run the command
gcloud dataproc clusters describe CLUSTER_NAME --region=REGIONagain to verify that theencryptionConfigproperty is set toCMEK.
By following the above steps, you can remediate the misconfiguration “Ensure Dataproc Clusters Encrypted Using CMEK” for GCP using GCP CLI.
To remediate the misconfiguration “Ensure Dataproc Clusters Encrypted Using CMEK” on GCP using Python, you can follow the below steps:
- First, you need to create a Cloud KMS key ring and a key in the same project where your Dataproc cluster is running. You can use the following code to create a key ring and a key:
from google.cloud import kms_v1
# Replace with your project ID
project_id = 'your-project-id'
# Create the client
client = kms_v1.KeyManagementServiceClient()
# Create the key ring
key_ring_id = 'dataproc-key-ring'
location_id = 'us-central1'
key_ring_parent = client.location_path(project_id, location_id)
key_ring = client.create_key_ring(key_ring_parent, key_ring_id)
# Create the key
key_id = 'dataproc-key'
purpose = kms_v1.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
key = {'purpose': purpose}
key_parent = client.key_ring_path(project_id, location_id, key_ring_id)
key = client.create_crypto_key(key_parent, key_id, key)
- Once you have created the key, you need to update your Dataproc cluster to use the newly created key for encryption. You can use the following code to update a cluster:
from google.cloud import dataproc_v1 as dataproc
# Replace with your project ID and cluster name
project_id = 'your-project-id'
region = 'us-central1'
cluster_name = 'your-cluster-name'
# Create the client
client = dataproc.ClusterControllerClient()
# Get the cluster
cluster = client.get_cluster(project_id, region, cluster_name)
# Update the cluster config to use the new key
config = cluster.config
config.encryption_config.gce_pd_kms_key_name = 'projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}'.format(project_id, location_id, key_ring_id, key_id)
cluster.config = config
# Update the cluster
update_mask = dataproc.types.FieldMask(paths=['config.encryption_config.gce_pd_kms_key_name'])
operation = client.update_cluster(project_id, region, cluster_name, cluster, update_mask)
- Finally, you need to verify that the cluster is using the correct key for encryption. You can use the following code to get the encryption configuration of a cluster:
# Get the cluster
cluster = client.get_cluster(project_id, region, cluster_name)
# Print the encryption config
print(cluster.config.encryption_config)
If the output shows that the gce_pd_kms_key_name field is set to the correct key, then the cluster is encrypted using CMEK.