More Info:

Ensure that Bigtable clusters are encrypted

Risk Level

High

Address

Security

Compliance Standards

SOC2, NIST, GDPR, ISO27001, HIPAA, HITRUST, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Bigtable Cluster should be encrypted” in GCP, you can follow the below steps using the GCP console:
  1. Open the GCP console and navigate to the Bigtable instance that needs to be encrypted.
  2. Click on the “Edit” button on the top of the page.
  3. Scroll down to the “Encryption” section and click on the “Edit” button next to it.
  4. Select the “Customer-managed key” option and choose the key that you want to use for encryption.
  5. Click on the “Save” button to save the changes.
  6. Once the changes are saved, the Bigtable cluster will be encrypted using the selected customer-managed key.
  7. Verify the encryption status of the Bigtable cluster by checking the “Encryption” section on the Bigtable instance page. It should show that the cluster is encrypted using the selected customer-managed key.
By following these steps, you can remediate the misconfiguration “Bigtable Cluster should be encrypted” in GCP using the GCP console.

To remediate the misconfiguration of a non-encrypted Bigtable cluster in GCP, you can follow these steps using GCP CLI:
  1. Open the Cloud Shell in your GCP console.
  2. Check the current status of the Bigtable cluster by running the following command: 
gcloud beta bigtable clusters describe [CLUSTER_ID] --project=[PROJECT_ID] --instance=[INSTANCE_ID]
  1. If the output shows that the cluster is not encrypted, then run the following command to enable encryption:
gcloud beta bigtable clusters update [CLUSTER_ID] --project=[PROJECT_ID] --instance=[INSTANCE_ID] --encryption-at-rest-state=ENABLED
  1. Wait for the update to complete. This may take a few minutes.
  2. Verify that the encryption is enabled by running the following command: 
gcloud beta bigtable clusters describe [CLUSTER_ID] --project=[PROJECT_ID] --instance=[INSTANCE_ID]
  1. Check the output to confirm that the encryption-at-rest-state is set to ENABLED.
  2. Once you have confirmed that the encryption is enabled, you have successfully remediated the non-encrypted Bigtable cluster misconfiguration.
To remediate the misconfiguration “Bigtable Cluster Should Be Encrypted” in GCP using python, you can follow the below steps:
  1. Open the GCP console and navigate to the Bigtable Clusters page.
  2. Select the Bigtable cluster that needs to be encrypted.
  3. Click on the “Edit” button to edit the cluster configuration.
  4. In the “Security” section, check if the “Encryption” option is enabled. If not, enable it.
  5. Choose the encryption type that you want to use. You can choose between Google-managed encryption keys or customer-managed encryption keys.
  6. If you choose customer-managed encryption keys, provide the key name and key version.
  7. Save the changes to update the Bigtable cluster configuration.
  8. To automate this process using python, you can use the GCP SDK libraries. Here is an example code snippet to enable encryption for a Bigtable cluster using python: 
from google.cloud import bigtable

client = bigtable.Client(project='your-project-id')
instance = client.instance('your-instance-id')
cluster = instance.cluster('your-cluster-id')

# Enable encryption
cluster.encryption_at_rest_type = 'GOOGLE_DEFAULT_ENCRYPTION'
cluster.update()
In the above code snippet, replace “your-project-id”, “your-instance-id” and “your-cluster-id” with the actual values for your Bigtable cluster. Also, you can choose the encryption type as per your requirement.

Additional Reading: