GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Bigtable Cluster Should Be Encrypted With Customer Managed Keys
More Info:
Ensure that Bigtable clusters are encrypted with CMKs
Risk Level
High
Address
Security
Compliance Standards
SOC2, NIST, GDPR, ISO27001, HIPAA, HITRUST
Triage and Remediation
Remediation
To remediate the misconfiguration “Bigtable Cluster Should Be Encrypted With Customer Managed Keys” for GCP using GCP Console, please follow the below steps:
- Log in to your GCP Console.
- Go to the Bigtable instances page by clicking on “Navigation Menu > Bigtable” or by searching for “Bigtable” in the search bar.
- Select the Bigtable instance that you want to remediate.
- Click on the “Encryption” tab.
- Under the “Encryption at rest” section, select “Customer-managed key”.
- Click on “Create a key”.
- Choose the location for the key.
- Choose the key ring for the key.
- Enter a name for the key.
- Click on “Create”.
- Select the newly created key from the dropdown menu.
- Click on “Save” to save the changes.
After following these steps, your Bigtable cluster will be encrypted with customer-managed keys and the misconfiguration will be remediated.
To remediate the misconfiguration in GCP, follow these steps:
-
Open the Google Cloud Console and select the project where the Bigtable cluster is located.
-
Open the Cloud Shell by clicking on the icon in the top right corner of the console.
-
In the Cloud Shell, run the following command to enable the Cloud Key Management Service (KMS) API:
gcloud services enable cloudkms.googleapis.com -
Create a new keyring in the Cloud KMS:
gcloud kms keyrings create <keyring-name> --location <location>Replace
<keyring-name>with a name for the keyring and<location>with the location where the keyring will be stored (for example, us-central1). -
Create a new key in the keyring:
gcloud kms keys create <key-name> --keyring <keyring-name> --location <location> --purpose encryptionReplace
<key-name>with a name for the key. -
Get the resource ID of the key:
gcloud kms keys describe <key-name> --keyring <keyring-name> --location <location> --format="value(name)" -
Update the Bigtable cluster to use the customer-managed encryption key:
gcloud beta bigtable clusters update <cluster-id> --location <location> --encryption-type=customer-managed --kms-key-name=<key-resource-id>Replace
<cluster-id>with the ID of the Bigtable cluster and<key-resource-id>with the resource ID of the key obtained in step 6. -
Verify that the Bigtable cluster is now using the customer-managed encryption key:
gcloud beta bigtable clusters describe <cluster-id> --location <location> --format="value(encryptionConfig.kmsKeyName)"This command should return the resource ID of the key.
That’s it! Your Bigtable cluster is now encrypted with a customer-managed key.
To remediate the misconfiguration “Bigtable Cluster Should Be Encrypted With Customer Managed Keys” for GCP using Python, you can follow the below steps:
-
Enable the Cloud Key Management Service (KMS) API for your project.
-
Create a new key ring and a new key in the Cloud KMS.
-
Grant the necessary permissions to the Cloud KMS key.
-
Create a new instance of the Bigtable client library.
-
Retrieve the Bigtable cluster instance by its ID.
-
Create a new instance of the
google.cloud.bigtable_admin_v2.types.EncryptionInfoclass. -
Set the
encryption_typeproperty of theEncryptionInfoinstance togoogle.cloud.bigtable_admin_v2.enums.EncryptionInfo.EncryptionType.CUSTOMER_MANAGED_ENCRYPTION. -
Set the
kms_key_nameproperty of theEncryptionInfoinstance to the name of the Cloud KMS key. -
Update the Bigtable cluster instance with the new encryption configuration by calling the
update_clustermethod of the Bigtable client library.
Here’s a sample Python code to remediate the misconfiguration “Bigtable Cluster Should Be Encrypted With Customer Managed Keys”:
from google.cloud import bigtable_admin_v2
from google.cloud.bigtable_admin_v2.types import EncryptionInfo, EncryptionType
# Set the project ID and the Bigtable instance ID
project_id = 'your-project-id'
instance_id = 'your-instance-id'
# Set the Cloud KMS key name
kms_key_name = 'projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}'.format(
project_id, 'global', 'your-key-ring', 'your-key')
# Create a new instance of the Bigtable client library
client = bigtable_admin_v2.BigtableInstanceAdminClient()
# Retrieve the Bigtable cluster instance by its ID
cluster_name = client.cluster_path(project_id, instance_id, 'your-cluster-id')
cluster = client.get_cluster(cluster_name)
# Create a new instance of the EncryptionInfo class
encryption_info = EncryptionInfo()
# Set the encryption type to CUSTOMER_MANAGED_ENCRYPTION
encryption_info.encryption_type = EncryptionType.CUSTOMER_MANAGED_ENCRYPTION
# Set the Cloud KMS key name
encryption_info.kms_key_name = kms_key_name
# Update the Bigtable cluster instance with the new encryption configuration
update_mask = {'paths': ['encryption_config']}
update_cluster_request = {
'cluster': cluster,
'update_mask': update_mask,
'encryption_config': encryption_info
}
client.update_cluster(update_cluster_request)
Note: Make sure to replace the placeholders your-project-id, your-instance-id, your-cluster-id, your-key-ring, and your-key with the actual values specific to your GCP project and Bigtable instance.