Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Ensure Dataproc Clusters Encrypted Using CMEK” for GCP using GCP console, you can follow the below steps:
- Login to your GCP console.
- Navigate to the Dataproc Clusters page.
- Select the cluster for which you want to enable encryption.
- Click on the “Edit” button at the top of the page.
- Scroll down to the “Security” section.
- Under “Encryption”, select “Customer-managed key”.
- Choose the Cloud KMS key that you want to use for encryption.
- Click on the “Save” button at the bottom of the page.
Using CLI
Using CLI
To remediate the misconfiguration “Ensure Dataproc Clusters Encrypted Using CMEK” in GCP using GCP CLI, you can follow the following steps:
- Open the Cloud Shell from the GCP console.
- Run the command
gcloud dataproc clusters list --region=REGIONto list all the Dataproc clusters in the specified region. - For each cluster in the list, run the command
gcloud dataproc clusters describe CLUSTER_NAME --region=REGIONto get the details of the cluster. - Check if the
encryptionConfigproperty is set toCMEKin the output of the above command. If it is not set toCMEK, then the cluster is not encrypted using CMEK. - To encrypt the cluster using CMEK, run the command
gcloud dataproc clusters update CLUSTER_NAME --region=REGION --update-encryption-config kmsKeyName=KEY_NAMEwhereKEY_NAMEis the name of the KMS key to be used for encryption. - After the cluster is updated, run the command
gcloud dataproc clusters describe CLUSTER_NAME --region=REGIONagain to verify that theencryptionConfigproperty is set toCMEK.
Using Python
Using Python
To remediate the misconfiguration “Ensure Dataproc Clusters Encrypted Using CMEK” on GCP using Python, you can follow the below steps:If the output shows that the
- First, you need to create a Cloud KMS key ring and a key in the same project where your Dataproc cluster is running. You can use the following code to create a key ring and a key:
- Once you have created the key, you need to update your Dataproc cluster to use the newly created key for encryption. You can use the following code to update a cluster:
- Finally, you need to verify that the cluster is using the correct key for encryption. You can use the following code to get the encryption configuration of a cluster:
gce_pd_kms_key_name field is set to the correct key, then the cluster is encrypted using CMEK.