Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Bigtable Cluster Should Be Encrypted With Customer Managed Keys” for GCP using GCP Console, please follow the below steps:
- Log in to your GCP Console.
- Go to the Bigtable instances page by clicking on “Navigation Menu > Bigtable” or by searching for “Bigtable” in the search bar.
- Select the Bigtable instance that you want to remediate.
- Click on the “Encryption” tab.
- Under the “Encryption at rest” section, select “Customer-managed key”.
- Click on “Create a key”.
- Choose the location for the key.
- Choose the key ring for the key.
- Enter a name for the key.
- Click on “Create”.
- Select the newly created key from the dropdown menu.
- Click on “Save” to save the changes.
Using CLI
Using CLI
To remediate the misconfiguration in GCP, follow these steps:
- Open the Google Cloud Console and select the project where the Bigtable cluster is located.
- Open the Cloud Shell by clicking on the icon in the top right corner of the console.
-
In the Cloud Shell, run the following command to enable the Cloud Key Management Service (KMS) API:
-
Create a new keyring in the Cloud KMS:
Replace
<keyring-name>with a name for the keyring and<location>with the location where the keyring will be stored (for example, us-central1). -
Create a new key in the keyring:
Replace
<key-name>with a name for the key. -
Get the resource ID of the key:
-
Update the Bigtable cluster to use the customer-managed encryption key:
Replace
<cluster-id>with the ID of the Bigtable cluster and<key-resource-id>with the resource ID of the key obtained in step 6. -
Verify that the Bigtable cluster is now using the customer-managed encryption key:
This command should return the resource ID of the key.
Using Python
Using Python
To remediate the misconfiguration “Bigtable Cluster Should Be Encrypted With Customer Managed Keys” for GCP using Python, you can follow the below steps:Note: Make sure to replace the placeholders
- Enable the Cloud Key Management Service (KMS) API for your project.
- Create a new key ring and a new key in the Cloud KMS.
- Grant the necessary permissions to the Cloud KMS key.
- Create a new instance of the Bigtable client library.
- Retrieve the Bigtable cluster instance by its ID.
-
Create a new instance of the
google.cloud.bigtable_admin_v2.types.EncryptionInfoclass. -
Set the
encryption_typeproperty of theEncryptionInfoinstance togoogle.cloud.bigtable_admin_v2.enums.EncryptionInfo.EncryptionType.CUSTOMER_MANAGED_ENCRYPTION. -
Set the
kms_key_nameproperty of theEncryptionInfoinstance to the name of the Cloud KMS key. -
Update the Bigtable cluster instance with the new encryption configuration by calling the
update_clustermethod of the Bigtable client library.
your-project-id, your-instance-id, your-cluster-id, your-key-ring, and your-key with the actual values specific to your GCP project and Bigtable instance.