More Info:

Ensure that Bigtable cluster tables are encrypted.

Risk Level

High

Address

Security

Compliance Standards

SOC2, NIST, GDPR, ISO27001, HIPAA, HITRUST, NISTCSF

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Bigtable Cluster Tables Should Be Encrypted” for GCP using GCP console, follow the below steps:
  1. Open the Google Cloud Console and navigate to the Bigtable instance that needs to be remediated.
  2. Click on the name of the instance to open its details page.
  3. In the left-hand menu, click on “Encryption”.
  4. Under “Encryption at rest”, select “Customer-managed encryption keys (CMEK)”.
  5. Choose a key from the list of existing keys or create a new one by clicking on “Create a key”.
  6. If creating a new key, enter a name and select a location for the key.
  7. Click “Create” to create the key.
  8. Once a key is selected or created, click “Save” to enable encryption for the Bigtable instance.
  9. Repeat these steps for each Bigtable instance that needs to be remediated.
By following these steps, you can enable encryption for Bigtable Cluster Tables on GCP using GCP console.

To remediate the misconfiguration “Bigtable Cluster Tables Should Be Encrypted” in GCP using GCP CLI, you can follow the below steps:
  1. Open the Cloud Shell in the GCP Console.
  2. Run the following command to list all the Bigtable instances in the project: 
gcloud bigtable instances list
  1. Select the Bigtable instance for which you want to enable encryption.
  2. Run the following command to enable encryption for the selected Bigtable instance: 
gcloud beta bigtable instances update [INSTANCE_ID] --cluster [CLUSTER_ID] --encryption-at-rest-kms-key-name [KMS_KEY_NAME]
Replace the [INSTANCE_ID] with the ID of the Bigtable instance, [CLUSTER_ID] with the ID of the cluster, and [KMS_KEY_NAME] with the name of the KMS key to use for encryption.
  1. Verify that encryption is enabled for the Bigtable cluster by running the following command:
gcloud beta bigtable clusters describe [CLUSTER_ID] --instance [INSTANCE_ID]
This command will display the cluster details, including the encryption configuration.By following these steps, you can remediate the misconfiguration “Bigtable Cluster Tables Should Be Encrypted” for GCP using GCP CLI.
To remediate the misconfiguration “Bigtable Cluster Tables Should Be Encrypted” in GCP using Python, you can follow the below steps:
  1. First, you need to install the required libraries. You can install the google-cloud-bigtable library using the following command:
pip install google-cloud-bigtable
  1. Next, you need to create a client object for Bigtable. You can do this using the following code:
from google.cloud import bigtable

# Create a client object for Bigtable
client = bigtable.Client(project='PROJECT_ID', admin=True)
Replace PROJECT_ID with your GCP project ID.
  1. Once you have created the client object, you can get a list of all the Bigtable instances in your project using the following code:
# Get a list of all the Bigtable instances in the project
instances = client.list_instances()
  1. For each instance, you can get a list of all the tables and check if the tables are encrypted or not using the following code:
# Loop through all the instances
for instance in instances:
    # Get a list of all the tables in the instance
    tables = instance.list_tables()
    # Loop through all the tables
    for table in tables:
        # Check if the table is encrypted or not
        if not table.encryption_type:
            # If the table is not encrypted, enable encryption
            table.encryption_type = 'GOOGLE_DEFAULT_ENCRYPTION'
            table.update()
  1. Finally, you can save the changes by calling the update() method on the table object.
By following these steps, you can remediate the misconfiguration “Bigtable Cluster Tables Should Be Encrypted” for GCP using Python.

Additional Reading: