More Info:

Ensure that Bigtable cluster tables are encrypted with CMK.

Risk Level

High

Address

Security

Compliance Standards

SOC2, NIST, GDPR, ISO27001, HIPAA, HITRUST

Triage and Remediation

Remediation

Using Console

To remediate the issue of Bigtable Cluster Tables not being encrypted with Customer Managed Keys in GCP, follow the below steps:
  1. Open the Google Cloud Console and navigate to the Bigtable instance that you want to remediate.
  2. Click on the “Encryption” tab from the left-hand side menu.
  3. Under the “Encryption at rest” section, click on the “Edit” button.
  4. Select “Customer-managed key” as the encryption type.
  5. Click on the “Select key” button and choose an existing key or create a new one.
  6. Click on the “Save” button to apply the changes.
  7. Once the encryption type is updated, you need to enable the encryption for each table in the Bigtable cluster.
  8. Click on the “Tables” tab from the left-hand side menu and select the table that you want to encrypt.
  9. Click on the “Edit” button and select “Customer-managed key” as the encryption type.
  10. Click on the “Select key” button and choose the same key that you selected in step 5.
  11. Click on the “Save” button to apply the changes.
  12. Repeat steps 8-11 for each table in the Bigtable cluster.
By following the above steps, you can remediate the issue of Bigtable Cluster Tables not being encrypted with Customer Managed Keys in GCP.

To remediate this misconfiguration, you can follow the below steps:
  1. Open the Cloud Shell in your GCP console.
  2. Run the following command to check if the Bigtable cluster tables are encrypted with customer-managed keys: 
    gcloud bigtable tables describe [TABLE_ID] --cluster=[CLUSTER_ID] --project=[PROJECT_ID] --instance=[INSTANCE_ID]
    Replace [TABLE_ID], [CLUSTER_ID], [PROJECT_ID], and [INSTANCE_ID] with the actual values.
  3. If the output shows that the tables are not encrypted with customer-managed keys, then you need to create a new key ring and key for encryption. Run the following commands to create a new key ring and key: 
    gcloud kms keyrings create [KEYRING_NAME] --location=[LOCATION] --project=[PROJECT_ID]
gcloud kms keys create [KEY_NAME] --keyring=[KEYRING_NAME] --location=[LOCATION] --purpose=encryption --project=[PROJECT_ID]
    Replace [KEYRING_NAME], [LOCATION], [PROJECT_ID], and [KEY_NAME] with the actual values.
  4. After creating the key ring and key, you need to set the encryption for the Bigtable cluster tables. Run the following command to set the encryption: 
    gcloud bigtable tables set-iam-policy [TABLE_ID] --cluster=[CLUSTER_ID] --project=[PROJECT_ID] --instance=[INSTANCE_ID] --member="serviceAccount:[SERVICE_ACCOUNT_EMAIL]" --role="roles/bigtable.encryptionKeyEncrypterDecrypter" --condition="encryption.encryptionKeyName=[KEY_NAME]"
    Replace [TABLE_ID], [CLUSTER_ID], [PROJECT_ID], [INSTANCE_ID], [SERVICE_ACCOUNT_EMAIL], and [KEY_NAME] with the actual values.
  5. Verify that the tables are now encrypted with the customer-managed keys by running the following command again: 
    gcloud bigtable tables describe [TABLE_ID] --cluster=[CLUSTER_ID] --project=[PROJECT_ID] --instance=[INSTANCE_ID]
    The output should show that the tables are now encrypted with the customer-managed keys.
By following these steps, you can remediate the misconfiguration in GCP using GCP CLI.
To remediate the misconfiguration “Bigtable Cluster Tables Should Be Encrypted With Customer Managed Keys” in GCP using Python, follow these steps:
  1. Open the Cloud Shell in the GCP Console.
  2. Install the Google Cloud Bigtable Python client library by running the following command: 
pip install google-cloud-bigtable
  1. Create a new key ring in the Cloud Key Management Service (KMS) by running the following command:
gcloud kms keyrings create <key-ring-name> --location <location>
Replace <key-ring-name> with the name of your key ring and <location> with the location where you want to store the key ring.
  1. Create a new key in the key ring by running the following command:
gcloud kms keys create <key-name> --keyring <key-ring-name> --location <location> --purpose encryption
Replace <key-name> with the name of your key.
  1. Enable the Cloud Bigtable API by running the following command:
gcloud services enable bigtable.googleapis.com
  1. Use the following Python script to update the encryption configuration of your Bigtable cluster tables to use customer-managed keys:
from google.cloud import bigtable
from google.cloud.bigtable import enums
from google.cloud.bigtable.admin import v2

# Set the project and instance IDs
project_id = 'your-project-id'
instance_id = 'your-instance-id'
cluster_id = 'your-cluster-id'
location_id = 'your-location-id'
key_ring_name = 'your-key-ring-name'
key_name = 'your-key-name'

# Create a Bigtable client
client = bigtable.Client(project=project_id)

# Create a Bigtable instance admin client
instance_admin_client = v2.BigtableInstanceAdminClient()

# Get the instance object
instance = client.instance(instance_id)

# Get the cluster object
cluster = instance.cluster(cluster_id)

# Create the encryption configuration object
encryption_config = v2.EncryptionConfig(
    kms_key_name=f"projects/{project_id}/locations/{location_id}/keyRings/{key_ring_name}/cryptoKeys/{key_name}",
    encryption_type=enums.EncryptionType.GOOGLE_DEFAULT_ENCRYPTION
)

# Update the cluster with the new encryption configuration
operation = instance_admin_client.update_cluster_encryption(
    request={
        "name": cluster.name,
        "encryption_config": encryption_config
    }
)

# Wait for the operation to complete
operation.result()
Replace the placeholders with your own project ID, instance ID, cluster ID, location ID, key ring name, and key name.
  1. Run the Python script to update the encryption configuration of your Bigtable cluster tables to use customer-managed keys.
After completing these steps, your Bigtable cluster tables will be encrypted with customer-managed keys.

Additional Reading: