GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Restrict Default Google-Managed Encryption for Cloud SQL Instances
More Info:
Ensure that the use of Google-managed encryption keys for Cloud SQL database instances is disabled at the GCP organization level in order to enforce the use of Customer-Managed Keys (CMKs) and have full control over SQL database encryption/decryption process.
Risk Level
Medium
Address
Security, Operational Maturity
Compliance Standards
ISO27001, HIPAA
Triage and Remediation
Remediation
To remediate the misconfiguration of “Restrict Default Google-Managed Encryption for Cloud SQL Instances” in GCP using GCP console, follow the below steps:
-
Login to your GCP console.
-
Navigate to the Cloud SQL Instances page.
-
Select the instance for which you want to remediate the misconfiguration.
-
Click on the “Edit” button at the top of the page.
-
Scroll down to the “Encryption” section.
-
Under the “Encryption in transit” section, select “Require SSL” option.
-
Under the “Encryption at rest” section, select “Customer-managed encryption key” option.
-
Provide the required details for Customer-managed encryption key, such as key name, key version and key location.
-
Click on the “Save” button to save the changes.
-
Verify the changes by checking the “Encryption” section on the Cloud SQL instance page.
By following the above steps, you have successfully remediated the misconfiguration of “Restrict Default Google-Managed Encryption for Cloud SQL Instances” in GCP using GCP console.
To remediate the misconfiguration of “Restrict Default Google-Managed Encryption for Cloud SQL Instances” for GCP using GCP CLI, you need to follow the below steps:
-
Open the Google Cloud Shell by clicking on the Activate Cloud Shell button present on the top right corner of the Google Cloud Console.
-
Once you have opened the Google Cloud Shell, run the following command to set the project where you want to remediate the misconfiguration:
gcloud config set project [PROJECT_ID]Replace [PROJECT_ID] with the ID of the project where you want to remediate the misconfiguration.
-
Next, run the following command to list all the Cloud SQL instances in the project:
gcloud sql instances list -
Identify the Cloud SQL instance for which you want to remediate the misconfiguration and note down its name.
-
Run the following command to update the Cloud SQL instance configuration and restrict default Google-managed encryption:
gcloud sql instances patch [INSTANCE_NAME] --require-ssl --backup-start-time 00:00Replace [INSTANCE_NAME] with the name of the Cloud SQL instance for which you want to remediate the misconfiguration.
-
After running the above command, the default Google-managed encryption will be restricted for the Cloud SQL instance.
Note: The above command also enforces SSL connections and sets the backup start time to 00:00.
By following the above steps, you can remediate the misconfiguration of “Restrict Default Google-Managed Encryption for Cloud SQL Instances” for GCP using GCP CLI.
To remediate the “Restrict Default Google-Managed Encryption for Cloud SQL Instances” misconfiguration in GCP using Python, you can follow the below steps:
- Import the necessary libraries:
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials
- Authenticate and authorize the client:
credentials = GoogleCredentials.get_application_default()
service = discovery.build('sqladmin', 'v1beta4', credentials=credentials)
- Get the list of Cloud SQL instances:
project_id = 'YOUR_PROJECT_ID'
instances = service.instances().list(project=project_id).execute()
- Iterate over the instances and update the settings:
for instance in instances['items']:
instance_name = instance['name']
settings = instance['settings']
settings['dataDiskEncryptionEnabled'] = True
settings['dataDiskEncryptionCipher'] = 'AES_256'
settings['backupConfiguration']['binaryLogEnabled'] = False
settings['backupConfiguration']['enabled'] = True
settings['backupConfiguration']['pointInTimeRecoveryEnabled'] = True
settings['backupConfiguration']['replicationLogArchivingEnabled'] = False
settings['backupConfiguration']['startTime'] = '00:00'
settings['backupConfiguration']['transactionLogRetentionDays'] = 7
settings['ipConfiguration']['authorizedNetworks'] = []
settings['ipConfiguration']['ipv4Enabled'] = True
settings['ipConfiguration']['privateNetwork'] = 'default'
settings['ipConfiguration']['requireSsl'] = True
settings['locationPreference']['zone'] = 'YOUR_PREFERRED_ZONE'
settings['maintenanceWindow']['day'] = 1
settings['maintenanceWindow']['hour'] = 0
settings['pricingPlan'] = 'PER_USE'
settings['settingsVersion'] = '1'
settings['storageAutoResize'] = True
settings['storageAutoResizeLimit'] = '0'
settings['tier'] = 'db-n1-standard-1'
settings['userLabels'] = {}
request = service.instances().update(project=project_id, instance=instance_name, body={'settings': settings})
response = request.execute()
print('Instance {} updated.'.format(instance_name))
- Save the Python script and run it using the command:
python script_name.py
This will remediate the “Restrict Default Google-Managed Encryption for Cloud SQL Instances” misconfiguration in GCP.