Restrict Default Google-Managed Encryption for Cloud SQL Instances

More Info:

Ensure that the use of Google-managed encryption keys for Cloud SQL database instances is disabled at the GCP organization level in order to enforce the use of Customer-Managed Keys (CMKs) and have full control over SQL database encryption/decryption process.

Risk Level

Medium

Address

Security, Operational Maturity

Compliance Standards

ISO27001, HIPAA

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of “Restrict Default Google-Managed Encryption for Cloud SQL Instances” for GCP using GCP CLI, you need to follow the below steps:

Open the Google Cloud Shell by clicking on the Activate Cloud Shell button present on the top right corner of the Google Cloud Console.
Once you have opened the Google Cloud Shell, run the following command to set the project where you want to remediate the misconfiguration:
```
gcloud config set project [PROJECT_ID]
```
Replace [PROJECT_ID] with the ID of the project where you want to remediate the misconfiguration.
Next, run the following command to list all the Cloud SQL instances in the project:
```
gcloud sql instances list
```
Identify the Cloud SQL instance for which you want to remediate the misconfiguration and note down its name.
Run the following command to update the Cloud SQL instance configuration and restrict default Google-managed encryption:
```
gcloud sql instances patch [INSTANCE_NAME] --require-ssl --backup-start-time 00:00
```
Replace [INSTANCE_NAME] with the name of the Cloud SQL instance for which you want to remediate the misconfiguration.
After running the above command, the default Google-managed encryption will be restricted for the Cloud SQL instance. Note: The above command also enforces SSL connections and sets the backup start time to 00:00.

By following the above steps, you can remediate the misconfiguration of “Restrict Default Google-Managed Encryption for Cloud SQL Instances” for GCP using GCP CLI.

Using Python

To remediate the “Restrict Default Google-Managed Encryption for Cloud SQL Instances” misconfiguration in GCP using Python, you can follow the below steps:

Import the necessary libraries:

from googleapiclient import discovery
from oauth2client.client import GoogleCredentials

Authenticate and authorize the client:

credentials = GoogleCredentials.get_application_default()
service = discovery.build('sqladmin', 'v1beta4', credentials=credentials)

Get the list of Cloud SQL instances:

project_id = 'YOUR_PROJECT_ID'
instances = service.instances().list(project=project_id).execute()

Iterate over the instances and update the settings:

for instance in instances['items']:
    instance_name = instance['name']
    settings = instance['settings']
    settings['dataDiskEncryptionEnabled'] = True
    settings['dataDiskEncryptionCipher'] = 'AES_256'
    settings['backupConfiguration']['binaryLogEnabled'] = False
    settings['backupConfiguration']['enabled'] = True
    settings['backupConfiguration']['pointInTimeRecoveryEnabled'] = True
    settings['backupConfiguration']['replicationLogArchivingEnabled'] = False
    settings['backupConfiguration']['startTime'] = '00:00'
    settings['backupConfiguration']['transactionLogRetentionDays'] = 7
    settings['ipConfiguration']['authorizedNetworks'] = []
    settings['ipConfiguration']['ipv4Enabled'] = True
    settings['ipConfiguration']['privateNetwork'] = 'default'
    settings['ipConfiguration']['requireSsl'] = True
    settings['locationPreference']['zone'] = 'YOUR_PREFERRED_ZONE'
    settings['maintenanceWindow']['day'] = 1
    settings['maintenanceWindow']['hour'] = 0
    settings['pricingPlan'] = 'PER_USE'
    settings['settingsVersion'] = '1'
    settings['storageAutoResize'] = True
    settings['storageAutoResizeLimit'] = '0'
    settings['tier'] = 'db-n1-standard-1'
    settings['userLabels'] = {}
    request = service.instances().update(project=project_id, instance=instance_name, body={'settings': settings})
    response = request.execute()
    print('Instance {} updated.'.format(instance_name))

Save the Python script and run it using the command:

python script_name.py

This will remediate the “Restrict Default Google-Managed Encryption for Cloud SQL Instances” misconfiguration in GCP.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Restrict Default Google-Managed Encryption for Cloud SQL Instances

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation