More Info:

Ensure that Bigtable cluster Backups are encrypted with CMK.

Risk Level

High

Address

Security

Compliance Standards

SOC2, NIST, GDPR, ISO27001, HIPAA, HITRUST

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Bigtable Cluster Backups Should Be Encrypted With Customer Managed Keys” for GCP using GCP console, follow these steps:
  1. Open the Google Cloud Console and select the project where your Bigtable cluster is located.
  2. Go to the Cloud Bigtable section of the console and select your Bigtable instance.
  3. Click on the “Backups” tab and select the backup that you want to encrypt with a customer-managed key.
  4. Click on the “Edit” button next to the backup.
  5. In the “Encryption” section, select “Customer-managed key” from the drop-down menu.
  6. Click on the “Select a key” button and choose the customer-managed key that you want to use to encrypt the backup.
  7. Click on the “Save” button to save the changes.
  8. Repeat steps 3-7 for all the backups associated with your Bigtable cluster.
By following these steps, you will remediate the misconfiguration by encrypting your Bigtable cluster backups with customer-managed keys.

To remediate the misconfiguration of Bigtable Cluster Backups not being encrypted with customer-managed keys, you can follow the below steps using GCP CLI:
  1. Create a new key ring:
gcloud kms keyrings create [KEYRING_NAME] --location=[LOCATION]
Replace [KEYRING_NAME] with the name of the key ring you want to create and [LOCATION] with the location where you want to create the key ring.
  1. Create a new key:
gcloud kms keys create [KEY_NAME] --keyring=[KEYRING_NAME] --location=[LOCATION] --purpose=encryption
Replace [KEY_NAME] with the name of the key you want to create and [KEYRING_NAME] and [LOCATION] with the name of the key ring and location where you created the key ring in step 1.
  1. Grant the Cloud Key Management Service (KMS) service account permission to access the key:
gcloud kms keys add-iam-policy-binding [KEY_NAME] --keyring=[KEYRING_NAME] --location=[LOCATION] --member=serviceAccount:cloudkms@[PROJECT_ID].iam.gserviceaccount.com --role=roles/cloudkms.cryptoKeyEncrypterDecrypter
Replace [KEY_NAME], [KEYRING_NAME], [LOCATION], and [PROJECT_ID] with the name of the key, key ring, location, and project ID where you created the key ring.
  1. Enable encryption for Bigtable backups:
gcloud beta bigtable clusters update [CLUSTER_ID] --backup-encryption-key=[KEY_NAME] --backup-encryption-key-version=1
Replace [CLUSTER_ID] with the ID of the Bigtable cluster you want to update, [KEY_NAME] with the name of the key you created in step 2, and 1 with the version number of the key.After following these steps, all new backups for the Bigtable cluster will be encrypted with the customer-managed key.
To remediate the misconfiguration of Bigtable Cluster Backups Should Be Encrypted With Customer Managed Keys in GCP, you can follow the below steps using Python:
  1. First, create a customer-managed encryption key (CMEK) in the Cloud Key Management Service (KMS) using the following code:
from google.cloud import kms_v1
from google.cloud.kms_v1 import enums

def create_key(project_id, location_id, key_ring_id, key_id):
    client = kms_v1.KeyManagementServiceClient()
    parent = client.key_ring_path(project_id, location_id, key_ring_id)

    purpose = enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
    algorithm = enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION

    crypto_key = {
        'purpose': purpose,
        'version_template': {
            'algorithm': algorithm
        }
    }

    response = client.create_crypto_key(parent, key_id, crypto_key)

    print('Created key: {}'.format(response.name))
  1. Next, enable encryption for your Bigtable cluster backups using the CMEK you just created:
from google.cloud import bigtable_admin_v2
from google.cloud.bigtable_admin_v2 import enums

def enable_backup_encryption(project_id, instance_id, cluster_id, key_name):
    client = bigtable_admin_v2.BigtableTableAdminClient()
    cluster_name = client.cluster_path(project_id, instance_id, cluster_id)
    encryption_config = {
        'encryption_type': enums.EncryptionInfo.EncryptionType.GOOGLE_DEFAULT_ENCRYPTION,
        'encryption_info': {
            'kms_key_name': key_name
        }
    }
    cluster = client.get_cluster(cluster_name)
    cluster.encryption_config = encryption_config
    update_mask = {
        'paths': [
            'encryption_config'
        ]
    }
    client.update_cluster(cluster, update_mask)
  1. Finally, verify that encryption is enabled for your Bigtable cluster backups:
from google.cloud.bigtable import Client

def verify_encryption_enabled(project_id, instance_id, cluster_id):
    client = Client(project=project_id, admin=True)
    cluster = client.instance(instance_id).cluster(cluster_id)
    if cluster.encryption_config.encryption_type == enums.EncryptionInfo.EncryptionType.GOOGLE_DEFAULT_ENCRYPTION:
        print('Encryption is enabled for cluster backups.')
    else:
        print('Encryption is not enabled for cluster backups.')
Note: Make sure to replace project_id, location_id, key_ring_id, key_id, instance_id, cluster_id, and key_name with your own values.By following these steps, you can remediate the misconfiguration of Bigtable Cluster Backups Should Be Encrypted With Customer Managed Keys in GCP using Python.

Additional Reading: