Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Customer Master Keys (CMKs) Should Be Used” for GCP using GCP console, follow the below steps:
- Log in to the Google Cloud Console.
- Navigate to the Cloud KMS page.
- Click on “Create Key Ring” to create a new key ring.
- Enter a name for the key ring and select the location where you want to create the key ring.
- Click on “Create”.
- Navigate to the “Create Key” page.
- Select the key ring that you created in step 4.
- Enter a name for the key and select the key version.
- Select the key algorithm and protection level.
- Click on “Create”.
- Navigate to the “IAM” page.
- Click on “Add Member” to add a new member to the project.
- Enter the email address of the member and select the role that you want to assign to the member.
- Click on “Save”.
Using CLI
Using CLI
To remediate the misconfiguration “Customer Master Keys (CMKs) Should Be Used” for GCP using GCP CLI, follow these steps:
- Open the Google Cloud Console and navigate to the Cloud Key Management Service (KMS) page.
- Create a new key ring and key for your project if you haven’t already done so.
-
Use the following command to create a new symmetric key for your project:
Replace
<KEY-NAME>,<LOCATION>, and<KEY-RING-NAME>with the appropriate values for your project. -
Use the following command to encrypt your data using the new key:
Replace
<PLAINTEXT-FILE>,<CIPHERTEXT-FILE>,<LOCATION>,<KEY-RING-NAME>, and<KEY-NAME>with the appropriate values for your project. - Update your application or service to use the new encrypted data.
- Verify that the new key is being used to encrypt and decrypt your data by checking the Cloud KMS audit logs.
Using Python
Using Python
To remediate the misconfiguration “Customer Master Keys (CMKs) Should Be Used” in GCP using Python, you can follow the below steps:Note: Replace [PROJECT_ID] and [LOCATION] with your project ID and location respectively.Note: Replace [PROJECT_ID] and [LOCATION] with your project ID and location respectively.By following these steps, you can remediate the misconfiguration “Customer Master Keys (CMKs) Should Be Used” in GCP using Python.
- Import the necessary libraries:
- Authenticate and create a client object:
- List all the key rings:
- Loop through each key ring and list all the crypto keys:
- Check if the crypto key has a customer-managed encryption key:
- If the crypto key does not have a customer-managed encryption key, create a new one:
- Update the crypto key to use the new customer-managed encryption key: