Bigtable Cluster Backups Should Be Encrypted With Customer Managed Keys

More Info:

Ensure that Bigtable cluster Backups are encrypted with CMK.

Risk Level

High

Address

Security

Compliance Standards

SOC2, NIST, GDPR, ISO27001, HIPAA, HITRUST

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of Bigtable Cluster Backups not being encrypted with customer-managed keys, you can follow the below steps using GCP CLI:

Create a new key ring:

gcloud kms keyrings create [KEYRING_NAME] --location=[LOCATION]

Replace [KEYRING_NAME] with the name of the key ring you want to create and [LOCATION] with the location where you want to create the key ring.

Create a new key:

gcloud kms keys create [KEY_NAME] --keyring=[KEYRING_NAME] --location=[LOCATION] --purpose=encryption

Replace [KEY_NAME] with the name of the key you want to create and [KEYRING_NAME] and [LOCATION] with the name of the key ring and location where you created the key ring in step 1.

Grant the Cloud Key Management Service (KMS) service account permission to access the key:

gcloud kms keys add-iam-policy-binding [KEY_NAME] --keyring=[KEYRING_NAME] --location=[LOCATION] --member=serviceAccount:cloudkms@[PROJECT_ID].iam.gserviceaccount.com --role=roles/cloudkms.cryptoKeyEncrypterDecrypter

Replace [KEY_NAME], [KEYRING_NAME], [LOCATION], and [PROJECT_ID] with the name of the key, key ring, location, and project ID where you created the key ring.

Enable encryption for Bigtable backups:

gcloud beta bigtable clusters update [CLUSTER_ID] --backup-encryption-key=[KEY_NAME] --backup-encryption-key-version=1

Replace [CLUSTER_ID] with the ID of the Bigtable cluster you want to update, [KEY_NAME] with the name of the key you created in step 2, and 1 with the version number of the key.After following these steps, all new backups for the Bigtable cluster will be encrypted with the customer-managed key.

Using Python

To remediate the misconfiguration of Bigtable Cluster Backups Should Be Encrypted With Customer Managed Keys in GCP, you can follow the below steps using Python:

First, create a customer-managed encryption key (CMEK) in the Cloud Key Management Service (KMS) using the following code:

from google.cloud import kms_v1
from google.cloud.kms_v1 import enums

def create_key(project_id, location_id, key_ring_id, key_id):
    client = kms_v1.KeyManagementServiceClient()
    parent = client.key_ring_path(project_id, location_id, key_ring_id)

    purpose = enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
    algorithm = enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION

    crypto_key = {
        'purpose': purpose,
        'version_template': {
            'algorithm': algorithm
        }
    }

    response = client.create_crypto_key(parent, key_id, crypto_key)

    print('Created key: {}'.format(response.name))

Next, enable encryption for your Bigtable cluster backups using the CMEK you just created:

from google.cloud import bigtable_admin_v2
from google.cloud.bigtable_admin_v2 import enums

def enable_backup_encryption(project_id, instance_id, cluster_id, key_name):
    client = bigtable_admin_v2.BigtableTableAdminClient()
    cluster_name = client.cluster_path(project_id, instance_id, cluster_id)
    encryption_config = {
        'encryption_type': enums.EncryptionInfo.EncryptionType.GOOGLE_DEFAULT_ENCRYPTION,
        'encryption_info': {
            'kms_key_name': key_name
        }
    }
    cluster = client.get_cluster(cluster_name)
    cluster.encryption_config = encryption_config
    update_mask = {
        'paths': [
            'encryption_config'
        ]
    }
    client.update_cluster(cluster, update_mask)

Finally, verify that encryption is enabled for your Bigtable cluster backups:

from google.cloud.bigtable import Client

def verify_encryption_enabled(project_id, instance_id, cluster_id):
    client = Client(project=project_id, admin=True)
    cluster = client.instance(instance_id).cluster(cluster_id)
    if cluster.encryption_config.encryption_type == enums.EncryptionInfo.EncryptionType.GOOGLE_DEFAULT_ENCRYPTION:
        print('Encryption is enabled for cluster backups.')
    else:
        print('Encryption is not enabled for cluster backups.')

Note: Make sure to replace project_id, location_id, key_ring_id, key_id, instance_id, cluster_id, and key_name with your own values.By following these steps, you can remediate the misconfiguration of Bigtable Cluster Backups Should Be Encrypted With Customer Managed Keys in GCP using Python.

Additional Reading:

https://cloud.google.com/bigtable/docs/cmek

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Bigtable Cluster Backups Should Be Encrypted With Customer Managed Keys

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: