GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Bigtable Cluster Backups Should Be Encrypted With Customer Managed Keys
More Info:
Ensure that Bigtable cluster Backups are encrypted with CMK.
Risk Level
High
Address
Security
Compliance Standards
SOC2, NIST, GDPR, ISO27001, HIPAA, HITRUST
Triage and Remediation
Remediation
To remediate the misconfiguration “Bigtable Cluster Backups Should Be Encrypted With Customer Managed Keys” for GCP using GCP console, follow these steps:
-
Open the Google Cloud Console and select the project where your Bigtable cluster is located.
-
Go to the Cloud Bigtable section of the console and select your Bigtable instance.
-
Click on the “Backups” tab and select the backup that you want to encrypt with a customer-managed key.
-
Click on the “Edit” button next to the backup.
-
In the “Encryption” section, select “Customer-managed key” from the drop-down menu.
-
Click on the “Select a key” button and choose the customer-managed key that you want to use to encrypt the backup.
-
Click on the “Save” button to save the changes.
-
Repeat steps 3-7 for all the backups associated with your Bigtable cluster.
By following these steps, you will remediate the misconfiguration by encrypting your Bigtable cluster backups with customer-managed keys.
To remediate the misconfiguration of Bigtable Cluster Backups not being encrypted with customer-managed keys, you can follow the below steps using GCP CLI:
- Create a new key ring:
gcloud kms keyrings create [KEYRING_NAME] --location=[LOCATION]
Replace [KEYRING_NAME] with the name of the key ring you want to create and [LOCATION] with the location where you want to create the key ring.
- Create a new key:
gcloud kms keys create [KEY_NAME] --keyring=[KEYRING_NAME] --location=[LOCATION] --purpose=encryption
Replace [KEY_NAME] with the name of the key you want to create and [KEYRING_NAME] and [LOCATION] with the name of the key ring and location where you created the key ring in step 1.
- Grant the Cloud Key Management Service (KMS) service account permission to access the key:
gcloud kms keys add-iam-policy-binding [KEY_NAME] --keyring=[KEYRING_NAME] --location=[LOCATION] --member=serviceAccount:cloudkms@[PROJECT_ID].iam.gserviceaccount.com --role=roles/cloudkms.cryptoKeyEncrypterDecrypter
Replace [KEY_NAME], [KEYRING_NAME], [LOCATION], and [PROJECT_ID] with the name of the key, key ring, location, and project ID where you created the key ring.
- Enable encryption for Bigtable backups:
gcloud beta bigtable clusters update [CLUSTER_ID] --backup-encryption-key=[KEY_NAME] --backup-encryption-key-version=1
Replace [CLUSTER_ID] with the ID of the Bigtable cluster you want to update, [KEY_NAME] with the name of the key you created in step 2, and 1 with the version number of the key.
After following these steps, all new backups for the Bigtable cluster will be encrypted with the customer-managed key.
To remediate the misconfiguration of Bigtable Cluster Backups Should Be Encrypted With Customer Managed Keys in GCP, you can follow the below steps using Python:
- First, create a customer-managed encryption key (CMEK) in the Cloud Key Management Service (KMS) using the following code:
from google.cloud import kms_v1
from google.cloud.kms_v1 import enums
def create_key(project_id, location_id, key_ring_id, key_id):
client = kms_v1.KeyManagementServiceClient()
parent = client.key_ring_path(project_id, location_id, key_ring_id)
purpose = enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
algorithm = enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION
crypto_key = {
'purpose': purpose,
'version_template': {
'algorithm': algorithm
}
}
response = client.create_crypto_key(parent, key_id, crypto_key)
print('Created key: {}'.format(response.name))
- Next, enable encryption for your Bigtable cluster backups using the CMEK you just created:
from google.cloud import bigtable_admin_v2
from google.cloud.bigtable_admin_v2 import enums
def enable_backup_encryption(project_id, instance_id, cluster_id, key_name):
client = bigtable_admin_v2.BigtableTableAdminClient()
cluster_name = client.cluster_path(project_id, instance_id, cluster_id)
encryption_config = {
'encryption_type': enums.EncryptionInfo.EncryptionType.GOOGLE_DEFAULT_ENCRYPTION,
'encryption_info': {
'kms_key_name': key_name
}
}
cluster = client.get_cluster(cluster_name)
cluster.encryption_config = encryption_config
update_mask = {
'paths': [
'encryption_config'
]
}
client.update_cluster(cluster, update_mask)
- Finally, verify that encryption is enabled for your Bigtable cluster backups:
from google.cloud.bigtable import Client
def verify_encryption_enabled(project_id, instance_id, cluster_id):
client = Client(project=project_id, admin=True)
cluster = client.instance(instance_id).cluster(cluster_id)
if cluster.encryption_config.encryption_type == enums.EncryptionInfo.EncryptionType.GOOGLE_DEFAULT_ENCRYPTION:
print('Encryption is enabled for cluster backups.')
else:
print('Encryption is not enabled for cluster backups.')
Note: Make sure to replace project_id, location_id, key_ring_id, key_id, instance_id, cluster_id, and key_name with your own values.
By following these steps, you can remediate the misconfiguration of Bigtable Cluster Backups Should Be Encrypted With Customer Managed Keys in GCP using Python.