Ensure Dataproc Clusters Encrypted Using CMEK

More Info:

Cloud services offer the ability to protect data related to those services using encryption keys managed by the customer within Cloud KMS. These encryption keys are called customer-managed encryption keys (CMEK). When you protect data in Google Cloud services with CMEK, the CMEK key is within your control.

Risk Level

Medium

Address

Security, Reliability

Compliance Standards

CISGCP, CBP

Triage and Remediation

Remediation

Using Console

Using CLI

Using Python

To remediate the misconfiguration “Ensure Dataproc Clusters Encrypted Using CMEK” on GCP using Python, you can follow the below steps:

First, you need to create a Cloud KMS key ring and a key in the same project where your Dataproc cluster is running. You can use the following code to create a key ring and a key:

from google.cloud import kms_v1

# Replace with your project ID
project_id = 'your-project-id'

# Create the client
client = kms_v1.KeyManagementServiceClient()

# Create the key ring
key_ring_id = 'dataproc-key-ring'
location_id = 'us-central1'
key_ring_parent = client.location_path(project_id, location_id)
key_ring = client.create_key_ring(key_ring_parent, key_ring_id)

# Create the key
key_id = 'dataproc-key'
purpose = kms_v1.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
key = {'purpose': purpose}
key_parent = client.key_ring_path(project_id, location_id, key_ring_id)
key = client.create_crypto_key(key_parent, key_id, key)

Once you have created the key, you need to update your Dataproc cluster to use the newly created key for encryption. You can use the following code to update a cluster:

from google.cloud import dataproc_v1 as dataproc

# Replace with your project ID and cluster name
project_id = 'your-project-id'
region = 'us-central1'
cluster_name = 'your-cluster-name'

# Create the client
client = dataproc.ClusterControllerClient()

# Get the cluster
cluster = client.get_cluster(project_id, region, cluster_name)

# Update the cluster config to use the new key
config = cluster.config
config.encryption_config.gce_pd_kms_key_name = 'projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}'.format(project_id, location_id, key_ring_id, key_id)
cluster.config = config

# Update the cluster
update_mask = dataproc.types.FieldMask(paths=['config.encryption_config.gce_pd_kms_key_name'])
operation = client.update_cluster(project_id, region, cluster_name, cluster, update_mask)

Finally, you need to verify that the cluster is using the correct key for encryption. You can use the following code to get the encryption configuration of a cluster:

# Get the cluster
cluster = client.get_cluster(project_id, region, cluster_name)

# Print the encryption config
print(cluster.config.encryption_config)

If the output shows that the gce_pd_kms_key_name field is set to the correct key, then the cluster is encrypted using CMEK.

Additional Reading:

https://cloud.google.com/docs/security/encryption/default-encryption

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Ensure Dataproc Clusters Encrypted Using CMEK

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: