Triage and Remediation
Remediation
Using Console
Using Console
To remediate the issue of Bigtable Cluster Tables not being encrypted with Customer Managed Keys in GCP, follow the below steps:
- Open the Google Cloud Console and navigate to the Bigtable instance that you want to remediate.
- Click on the “Encryption” tab from the left-hand side menu.
- Under the “Encryption at rest” section, click on the “Edit” button.
- Select “Customer-managed key” as the encryption type.
- Click on the “Select key” button and choose an existing key or create a new one.
- Click on the “Save” button to apply the changes.
- Once the encryption type is updated, you need to enable the encryption for each table in the Bigtable cluster.
- Click on the “Tables” tab from the left-hand side menu and select the table that you want to encrypt.
- Click on the “Edit” button and select “Customer-managed key” as the encryption type.
- Click on the “Select key” button and choose the same key that you selected in step 5.
- Click on the “Save” button to apply the changes.
- Repeat steps 8-11 for each table in the Bigtable cluster.
Using CLI
Using CLI
To remediate this misconfiguration, you can follow the below steps:
- Open the Cloud Shell in your GCP console.
-
Run the following command to check if the Bigtable cluster tables are encrypted with customer-managed keys:
Replace
[TABLE_ID],[CLUSTER_ID],[PROJECT_ID], and[INSTANCE_ID]with the actual values. -
If the output shows that the tables are not encrypted with customer-managed keys, then you need to create a new key ring and key for encryption. Run the following commands to create a new key ring and key:
Replace
[KEYRING_NAME],[LOCATION],[PROJECT_ID], and[KEY_NAME]with the actual values. -
After creating the key ring and key, you need to set the encryption for the Bigtable cluster tables. Run the following command to set the encryption:
Replace
[TABLE_ID],[CLUSTER_ID],[PROJECT_ID],[INSTANCE_ID],[SERVICE_ACCOUNT_EMAIL], and[KEY_NAME]with the actual values. -
Verify that the tables are now encrypted with the customer-managed keys by running the following command again:
The output should show that the tables are now encrypted with the customer-managed keys.
Using Python
Using Python
To remediate the misconfiguration “Bigtable Cluster Tables Should Be Encrypted With Customer Managed Keys” in GCP using Python, follow these steps:Replace Replace Replace the placeholders with your own project ID, instance ID, cluster ID, location ID, key ring name, and key name.
- Open the Cloud Shell in the GCP Console.
- Install the Google Cloud Bigtable Python client library by running the following command:
- Create a new key ring in the Cloud Key Management Service (KMS) by running the following command:
<key-ring-name> with the name of your key ring and <location> with the location where you want to store the key ring.- Create a new key in the key ring by running the following command:
<key-name> with the name of your key.- Enable the Cloud Bigtable API by running the following command:
- Use the following Python script to update the encryption configuration of your Bigtable cluster tables to use customer-managed keys:
- Run the Python script to update the encryption configuration of your Bigtable cluster tables to use customer-managed keys.