Bigtable Cluster Tables Should Be Encrypted With Customer Managed Keys

More Info:

Ensure that Bigtable cluster tables are encrypted with CMK.

Risk Level

High

Address

Security

Compliance Standards

SOC2, NIST, GDPR, ISO27001, HIPAA, HITRUST

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate this misconfiguration, you can follow the below steps:

Open the Cloud Shell in your GCP console.
Run the following command to check if the Bigtable cluster tables are encrypted with customer-managed keys:
```
gcloud bigtable tables describe [TABLE_ID] --cluster=[CLUSTER_ID] --project=[PROJECT_ID] --instance=[INSTANCE_ID]
```
Replace [TABLE_ID], [CLUSTER_ID], [PROJECT_ID], and [INSTANCE_ID] with the actual values.
If the output shows that the tables are not encrypted with customer-managed keys, then you need to create a new key ring and key for encryption. Run the following commands to create a new key ring and key:
```
gcloud kms keyrings create [KEYRING_NAME] --location=[LOCATION] --project=[PROJECT_ID]
gcloud kms keys create [KEY_NAME] --keyring=[KEYRING_NAME] --location=[LOCATION] --purpose=encryption --project=[PROJECT_ID]
```
Replace [KEYRING_NAME], [LOCATION], [PROJECT_ID], and [KEY_NAME] with the actual values.

After creating the key ring and key, you need to set the encryption for the Bigtable cluster tables. Run the following command to set the encryption:

gcloud bigtable tables set-iam-policy [TABLE_ID] --cluster=[CLUSTER_ID] --project=[PROJECT_ID] --instance=[INSTANCE_ID] --member="serviceAccount:[SERVICE_ACCOUNT_EMAIL]" --role="roles/bigtable.encryptionKeyEncrypterDecrypter" --condition="encryption.encryptionKeyName=[KEY_NAME]"

Replace [TABLE_ID], [CLUSTER_ID], [PROJECT_ID], [INSTANCE_ID], [SERVICE_ACCOUNT_EMAIL], and [KEY_NAME] with the actual values.

Verify that the tables are now encrypted with the customer-managed keys by running the following command again:
```
gcloud bigtable tables describe [TABLE_ID] --cluster=[CLUSTER_ID] --project=[PROJECT_ID] --instance=[INSTANCE_ID]
```
The output should show that the tables are now encrypted with the customer-managed keys.

By following these steps, you can remediate the misconfiguration in GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Bigtable Cluster Tables Should Be Encrypted With Customer Managed Keys” in GCP using Python, follow these steps:

Open the Cloud Shell in the GCP Console.
Install the Google Cloud Bigtable Python client library by running the following command:

pip install google-cloud-bigtable

Create a new key ring in the Cloud Key Management Service (KMS) by running the following command:

gcloud kms keyrings create <key-ring-name> --location <location>

Replace <key-ring-name> with the name of your key ring and <location> with the location where you want to store the key ring.

Create a new key in the key ring by running the following command:

gcloud kms keys create <key-name> --keyring <key-ring-name> --location <location> --purpose encryption

Replace <key-name> with the name of your key.

Enable the Cloud Bigtable API by running the following command:

gcloud services enable bigtable.googleapis.com

Use the following Python script to update the encryption configuration of your Bigtable cluster tables to use customer-managed keys:

from google.cloud import bigtable
from google.cloud.bigtable import enums
from google.cloud.bigtable.admin import v2

# Set the project and instance IDs
project_id = 'your-project-id'
instance_id = 'your-instance-id'
cluster_id = 'your-cluster-id'
location_id = 'your-location-id'
key_ring_name = 'your-key-ring-name'
key_name = 'your-key-name'

# Create a Bigtable client
client = bigtable.Client(project=project_id)

# Create a Bigtable instance admin client
instance_admin_client = v2.BigtableInstanceAdminClient()

# Get the instance object
instance = client.instance(instance_id)

# Get the cluster object
cluster = instance.cluster(cluster_id)

# Create the encryption configuration object
encryption_config = v2.EncryptionConfig(
    kms_key_name=f"projects/{project_id}/locations/{location_id}/keyRings/{key_ring_name}/cryptoKeys/{key_name}",
    encryption_type=enums.EncryptionType.GOOGLE_DEFAULT_ENCRYPTION
)

# Update the cluster with the new encryption configuration
operation = instance_admin_client.update_cluster_encryption(
    request={
        "name": cluster.name,
        "encryption_config": encryption_config
    }
)

# Wait for the operation to complete
operation.result()

Replace the placeholders with your own project ID, instance ID, cluster ID, location ID, key ring name, and key name.

Run the Python script to update the encryption configuration of your Bigtable cluster tables to use customer-managed keys.

After completing these steps, your Bigtable cluster tables will be encrypted with customer-managed keys.

Additional Reading:

https://cloud.google.com/bigtable/docs/cmek

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Bigtable Cluster Tables Should Be Encrypted With Customer Managed Keys

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: