More Info:
Ensure that Bigtable cluster Backups are encrypted with CMK.Risk Level
HighAddress
SecurityCompliance Standards
SOC2, NIST, GDPR, ISO27001, HIPAA, HITRUSTTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Bigtable Cluster Backups Should Be Encrypted With Customer Managed Keys” for GCP using GCP console, follow these steps:
- Open the Google Cloud Console and select the project where your Bigtable cluster is located.
- Go to the Cloud Bigtable section of the console and select your Bigtable instance.
- Click on the “Backups” tab and select the backup that you want to encrypt with a customer-managed key.
- Click on the “Edit” button next to the backup.
- In the “Encryption” section, select “Customer-managed key” from the drop-down menu.
- Click on the “Select a key” button and choose the customer-managed key that you want to use to encrypt the backup.
- Click on the “Save” button to save the changes.
- Repeat steps 3-7 for all the backups associated with your Bigtable cluster.
Using CLI
Using CLI
To remediate the misconfiguration of Bigtable Cluster Backups not being encrypted with customer-managed keys, you can follow the below steps using GCP CLI:Replace Replace Replace Replace
- Create a new key ring:
[KEYRING_NAME]
with the name of the key ring you want to create and [LOCATION]
with the location where you want to create the key ring.- Create a new key:
[KEY_NAME]
with the name of the key you want to create and [KEYRING_NAME]
and [LOCATION]
with the name of the key ring and location where you created the key ring in step 1.- Grant the Cloud Key Management Service (KMS) service account permission to access the key:
[KEY_NAME]
, [KEYRING_NAME]
, [LOCATION]
, and [PROJECT_ID]
with the name of the key, key ring, location, and project ID where you created the key ring.- Enable encryption for Bigtable backups:
[CLUSTER_ID]
with the ID of the Bigtable cluster you want to update, [KEY_NAME]
with the name of the key you created in step 2, and 1
with the version number of the key.After following these steps, all new backups for the Bigtable cluster will be encrypted with the customer-managed key.Using Python
Using Python
To remediate the misconfiguration of Bigtable Cluster Backups Should Be Encrypted With Customer Managed Keys in GCP, you can follow the below steps using Python:Note: Make sure to replace
- First, create a customer-managed encryption key (CMEK) in the Cloud Key Management Service (KMS) using the following code:
- Next, enable encryption for your Bigtable cluster backups using the CMEK you just created:
- Finally, verify that encryption is enabled for your Bigtable cluster backups:
project_id
, location_id
, key_ring_id
, key_id
, instance_id
, cluster_id
, and key_name
with your own values.By following these steps, you can remediate the misconfiguration of Bigtable Cluster Backups Should Be Encrypted With Customer Managed Keys in GCP using Python.