More Info:

Cloud services offer the ability to protect data related to those services using encryption keys managed by the customer within Cloud KMS. These encryption keys are called customer-managed encryption keys (CMEK). When you protect data in Google Cloud services with CMEK, the CMEK key is within your control.

Risk Level

Medium

Address

Security, Reliability

Compliance Standards

CISGCP, CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Ensure Dataproc Clusters Encrypted Using CMEK” for GCP using GCP console, you can follow the below steps:
  1. Login to your GCP console.
  2. Navigate to the Dataproc Clusters page.
  3. Select the cluster for which you want to enable encryption.
  4. Click on the “Edit” button at the top of the page.
  5. Scroll down to the “Security” section.
  6. Under “Encryption”, select “Customer-managed key”.
  7. Choose the Cloud KMS key that you want to use for encryption.
  8. Click on the “Save” button at the bottom of the page.
Once you have completed these steps, your Dataproc cluster will be encrypted using the specified Cloud KMS key. This will ensure that your data is secure and protected from unauthorized access.

To remediate the misconfiguration “Ensure Dataproc Clusters Encrypted Using CMEK” in GCP using GCP CLI, you can follow the following steps:
  1. Open the Cloud Shell from the GCP console.
  2. Run the command gcloud dataproc clusters list --region=REGION to list all the Dataproc clusters in the specified region.
  3. For each cluster in the list, run the command gcloud dataproc clusters describe CLUSTER_NAME --region=REGION to get the details of the cluster.
  4. Check if the encryptionConfig property is set to CMEK in the output of the above command. If it is not set to CMEK, then the cluster is not encrypted using CMEK.
  5. To encrypt the cluster using CMEK, run the command gcloud dataproc clusters update CLUSTER_NAME --region=REGION --update-encryption-config kmsKeyName=KEY_NAME where KEY_NAME is the name of the KMS key to be used for encryption.
  6. After the cluster is updated, run the command gcloud dataproc clusters describe CLUSTER_NAME --region=REGION again to verify that the encryptionConfig property is set to CMEK.
By following the above steps, you can remediate the misconfiguration “Ensure Dataproc Clusters Encrypted Using CMEK” for GCP using GCP CLI.
To remediate the misconfiguration “Ensure Dataproc Clusters Encrypted Using CMEK” on GCP using Python, you can follow the below steps:
  1. First, you need to create a Cloud KMS key ring and a key in the same project where your Dataproc cluster is running. You can use the following code to create a key ring and a key:
from google.cloud import kms_v1

# Replace with your project ID
project_id = 'your-project-id'

# Create the client
client = kms_v1.KeyManagementServiceClient()

# Create the key ring
key_ring_id = 'dataproc-key-ring'
location_id = 'us-central1'
key_ring_parent = client.location_path(project_id, location_id)
key_ring = client.create_key_ring(key_ring_parent, key_ring_id)

# Create the key
key_id = 'dataproc-key'
purpose = kms_v1.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
key = {'purpose': purpose}
key_parent = client.key_ring_path(project_id, location_id, key_ring_id)
key = client.create_crypto_key(key_parent, key_id, key)
  1. Once you have created the key, you need to update your Dataproc cluster to use the newly created key for encryption. You can use the following code to update a cluster:
from google.cloud import dataproc_v1 as dataproc

# Replace with your project ID and cluster name
project_id = 'your-project-id'
region = 'us-central1'
cluster_name = 'your-cluster-name'

# Create the client
client = dataproc.ClusterControllerClient()

# Get the cluster
cluster = client.get_cluster(project_id, region, cluster_name)

# Update the cluster config to use the new key
config = cluster.config
config.encryption_config.gce_pd_kms_key_name = 'projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}'.format(project_id, location_id, key_ring_id, key_id)
cluster.config = config

# Update the cluster
update_mask = dataproc.types.FieldMask(paths=['config.encryption_config.gce_pd_kms_key_name'])
operation = client.update_cluster(project_id, region, cluster_name, cluster, update_mask)
  1. Finally, you need to verify that the cluster is using the correct key for encryption. You can use the following code to get the encryption configuration of a cluster:
# Get the cluster
cluster = client.get_cluster(project_id, region, cluster_name)

# Print the encryption config
print(cluster.config.encryption_config)
If the output shows that the gce_pd_kms_key_name field is set to the correct key, then the cluster is encrypted using CMEK.

Additional Reading: