More Info:
Ensure that Bigtable cluster tables are encrypted with CMK.Risk Level
HighAddress
SecurityCompliance Standards
SOC2, NIST, GDPR, ISO27001, HIPAA, HITRUSTTriage and Remediation
Remediation
Using Console
Using Console
To remediate the issue of Bigtable Cluster Tables not being encrypted with Customer Managed Keys in GCP, follow the below steps:
- Open the Google Cloud Console and navigate to the Bigtable instance that you want to remediate.
- Click on the “Encryption” tab from the left-hand side menu.
- Under the “Encryption at rest” section, click on the “Edit” button.
- Select “Customer-managed key” as the encryption type.
- Click on the “Select key” button and choose an existing key or create a new one.
- Click on the “Save” button to apply the changes.
- Once the encryption type is updated, you need to enable the encryption for each table in the Bigtable cluster.
- Click on the “Tables” tab from the left-hand side menu and select the table that you want to encrypt.
- Click on the “Edit” button and select “Customer-managed key” as the encryption type.
- Click on the “Select key” button and choose the same key that you selected in step 5.
- Click on the “Save” button to apply the changes.
- Repeat steps 8-11 for each table in the Bigtable cluster.
Using CLI
Using CLI
To remediate this misconfiguration, you can follow the below steps:
- Open the Cloud Shell in your GCP console.
-
Run the following command to check if the Bigtable cluster tables are encrypted with customer-managed keys:
Replace
[TABLE_ID]
,[CLUSTER_ID]
,[PROJECT_ID]
, and[INSTANCE_ID]
with the actual values. -
If the output shows that the tables are not encrypted with customer-managed keys, then you need to create a new key ring and key for encryption. Run the following commands to create a new key ring and key:
Replace
[KEYRING_NAME]
,[LOCATION]
,[PROJECT_ID]
, and[KEY_NAME]
with the actual values. -
After creating the key ring and key, you need to set the encryption for the Bigtable cluster tables. Run the following command to set the encryption:
Replace
[TABLE_ID]
,[CLUSTER_ID]
,[PROJECT_ID]
,[INSTANCE_ID]
,[SERVICE_ACCOUNT_EMAIL]
, and[KEY_NAME]
with the actual values. -
Verify that the tables are now encrypted with the customer-managed keys by running the following command again:
The output should show that the tables are now encrypted with the customer-managed keys.
Using Python
Using Python
To remediate the misconfiguration “Bigtable Cluster Tables Should Be Encrypted With Customer Managed Keys” in GCP using Python, follow these steps:Replace Replace Replace the placeholders with your own project ID, instance ID, cluster ID, location ID, key ring name, and key name.
- Open the Cloud Shell in the GCP Console.
- Install the Google Cloud Bigtable Python client library by running the following command:
- Create a new key ring in the Cloud Key Management Service (KMS) by running the following command:
<key-ring-name>
with the name of your key ring and <location>
with the location where you want to store the key ring.- Create a new key in the key ring by running the following command:
<key-name>
with the name of your key.- Enable the Cloud Bigtable API by running the following command:
- Use the following Python script to update the encryption configuration of your Bigtable cluster tables to use customer-managed keys:
- Run the Python script to update the encryption configuration of your Bigtable cluster tables to use customer-managed keys.