More Info:

Ensure that Bigtable clusters are encrypted with CMKs

Risk Level

High

Address

Security

Compliance Standards

SOC2, NIST, GDPR, ISO27001, HIPAA, HITRUST

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Bigtable Cluster Should Be Encrypted With Customer Managed Keys” for GCP using GCP Console, please follow the below steps:
  1. Log in to your GCP Console.
  2. Go to the Bigtable instances page by clicking on “Navigation Menu > Bigtable” or by searching for “Bigtable” in the search bar.
  3. Select the Bigtable instance that you want to remediate.
  4. Click on the “Encryption” tab.
  5. Under the “Encryption at rest” section, select “Customer-managed key”.
  6. Click on “Create a key”.
  7. Choose the location for the key.
  8. Choose the key ring for the key.
  9. Enter a name for the key.
  10. Click on “Create”.
  11. Select the newly created key from the dropdown menu.
  12. Click on “Save” to save the changes.
After following these steps, your Bigtable cluster will be encrypted with customer-managed keys and the misconfiguration will be remediated.

To remediate the misconfiguration in GCP, follow these steps:
  1. Open the Google Cloud Console and select the project where the Bigtable cluster is located.
  2. Open the Cloud Shell by clicking on the icon in the top right corner of the console.
  3. In the Cloud Shell, run the following command to enable the Cloud Key Management Service (KMS) API: 
    gcloud services enable cloudkms.googleapis.com
  4. Create a new keyring in the Cloud KMS: 
    gcloud kms keyrings create <keyring-name> --location <location>
    Replace <keyring-name> with a name for the keyring and <location> with the location where the keyring will be stored (for example, us-central1).
  5. Create a new key in the keyring: 
    gcloud kms keys create <key-name> --keyring <keyring-name> --location <location> --purpose encryption
    Replace <key-name> with a name for the key.
  6. Get the resource ID of the key: 
    gcloud kms keys describe <key-name> --keyring <keyring-name> --location <location> --format="value(name)"
  7. Update the Bigtable cluster to use the customer-managed encryption key: 
    gcloud beta bigtable clusters update <cluster-id> --location <location> --encryption-type=customer-managed --kms-key-name=<key-resource-id>
    Replace <cluster-id> with the ID of the Bigtable cluster and <key-resource-id> with the resource ID of the key obtained in step 6.
  8. Verify that the Bigtable cluster is now using the customer-managed encryption key: 
    gcloud beta bigtable clusters describe <cluster-id> --location <location> --format="value(encryptionConfig.kmsKeyName)"
    This command should return the resource ID of the key.
That’s it! Your Bigtable cluster is now encrypted with a customer-managed key.
To remediate the misconfiguration “Bigtable Cluster Should Be Encrypted With Customer Managed Keys” for GCP using Python, you can follow the below steps:
  1. Enable the Cloud Key Management Service (KMS) API for your project.
  2. Create a new key ring and a new key in the Cloud KMS.
  3. Grant the necessary permissions to the Cloud KMS key.
  4. Create a new instance of the Bigtable client library.
  5. Retrieve the Bigtable cluster instance by its ID.
  6. Create a new instance of the google.cloud.bigtable_admin_v2.types.EncryptionInfo class.
  7. Set the encryption_type property of the EncryptionInfo instance to google.cloud.bigtable_admin_v2.enums.EncryptionInfo.EncryptionType.CUSTOMER_MANAGED_ENCRYPTION.
  8. Set the kms_key_name property of the EncryptionInfo instance to the name of the Cloud KMS key.
  9. Update the Bigtable cluster instance with the new encryption configuration by calling the update_cluster method of the Bigtable client library.
Here’s a sample Python code to remediate the misconfiguration “Bigtable Cluster Should Be Encrypted With Customer Managed Keys”:
from google.cloud import bigtable_admin_v2
from google.cloud.bigtable_admin_v2.types import EncryptionInfo, EncryptionType

# Set the project ID and the Bigtable instance ID
project_id = 'your-project-id'
instance_id = 'your-instance-id'

# Set the Cloud KMS key name
kms_key_name = 'projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}'.format(
    project_id, 'global', 'your-key-ring', 'your-key')

# Create a new instance of the Bigtable client library
client = bigtable_admin_v2.BigtableInstanceAdminClient()

# Retrieve the Bigtable cluster instance by its ID
cluster_name = client.cluster_path(project_id, instance_id, 'your-cluster-id')
cluster = client.get_cluster(cluster_name)

# Create a new instance of the EncryptionInfo class
encryption_info = EncryptionInfo()

# Set the encryption type to CUSTOMER_MANAGED_ENCRYPTION
encryption_info.encryption_type = EncryptionType.CUSTOMER_MANAGED_ENCRYPTION

# Set the Cloud KMS key name
encryption_info.kms_key_name = kms_key_name

# Update the Bigtable cluster instance with the new encryption configuration
update_mask = {'paths': ['encryption_config']}
update_cluster_request = {
    'cluster': cluster,
    'update_mask': update_mask,
    'encryption_config': encryption_info
}
client.update_cluster(update_cluster_request)
Note: Make sure to replace the placeholders your-project-id, your-instance-id, your-cluster-id, your-key-ring, and your-key with the actual values specific to your GCP project and Bigtable instance.

Additional Reading: