Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of “Restrict Default Google-Managed Encryption for Cloud SQL Instances” in GCP using GCP console, follow the below steps:
- Login to your GCP console.
- Navigate to the Cloud SQL Instances page.
- Select the instance for which you want to remediate the misconfiguration.
- Click on the “Edit” button at the top of the page.
- Scroll down to the “Encryption” section.
- Under the “Encryption in transit” section, select “Require SSL” option.
- Under the “Encryption at rest” section, select “Customer-managed encryption key” option.
- Provide the required details for Customer-managed encryption key, such as key name, key version and key location.
- Click on the “Save” button to save the changes.
- Verify the changes by checking the “Encryption” section on the Cloud SQL instance page.
Using CLI
Using CLI
To remediate the misconfiguration of “Restrict Default Google-Managed Encryption for Cloud SQL Instances” for GCP using GCP CLI, you need to follow the below steps:
- Open the Google Cloud Shell by clicking on the Activate Cloud Shell button present on the top right corner of the Google Cloud Console.
-
Once you have opened the Google Cloud Shell, run the following command to set the project where you want to remediate the misconfiguration:
Replace [PROJECT_ID] with the ID of the project where you want to remediate the misconfiguration.
-
Next, run the following command to list all the Cloud SQL instances in the project:
- Identify the Cloud SQL instance for which you want to remediate the misconfiguration and note down its name.
-
Run the following command to update the Cloud SQL instance configuration and restrict default Google-managed encryption:
Replace [INSTANCE_NAME] with the name of the Cloud SQL instance for which you want to remediate the misconfiguration.
- After running the above command, the default Google-managed encryption will be restricted for the Cloud SQL instance. Note: The above command also enforces SSL connections and sets the backup start time to 00:00.
Using Python
Using Python
To remediate the “Restrict Default Google-Managed Encryption for Cloud SQL Instances” misconfiguration in GCP using Python, you can follow the below steps:This will remediate the “Restrict Default Google-Managed Encryption for Cloud SQL Instances” misconfiguration in GCP.
- Import the necessary libraries:
- Authenticate and authorize the client:
- Get the list of Cloud SQL instances:
- Iterate over the instances and update the settings:
- Save the Python script and run it using the command: