More Info:
Ensure that PubSub topics are encrypted using Customer-Managed Encryption Keys (CMEK). This gives you full control over data encryption and decryption process. Customer Managed Encryption Keys can be created or managed with Cloud Key Management Service (Cloud KMS).Risk Level
HighAddress
SecurityCompliance Standards
HITRUST, NISTCSFTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “PubSub Topics Should Be Encrypted Using CMEK” for GCP using GCP console, you can follow the below steps:
- Login to your GCP console.
- Navigate to the Pub/Sub page from the left-hand side menu.
- Select the topic that you want to encrypt using CMEK.
- Click on the “Edit” button present at the top of the page.
- Scroll down to the “Encryption” section.
- Click on the “Enable encryption” checkbox.
- Select the “Customer-managed key” option from the dropdown.
- Choose the CMEK key that you want to use for encryption from the “Key name” dropdown.
- Click on the “Save” button to save the changes.
Using CLI
Using CLI
To remediate the misconfiguration in GCP using GCP CLI, follow these steps:Replace The output should include the following line:This indicates that the topic is now encrypted using a customer-managed encryption key (CMEK).
- Open the Cloud Shell in the GCP Console.
- Set the project where the Pub/Sub topic is located:
- Retrieve the list of Pub/Sub topics in the project:
- For each topic that does not have encryption enabled, enable encryption using the following command:
[TOPIC_NAME]
with the name of the Pub/Sub topic that needs to be encrypted, and replace [PROJECT_ID]
, [LOCATION]
, [KEYRING_NAME]
, and [KEY_NAME]
with the appropriate values for your project.- Verify that the encryption has been enabled for the topic by running the following command:
Using Python
Using Python
To remediate the misconfiguration where PubSub topics should be encrypted using CMEK in GCP using Python, you can follow these step-by-step instructions:These steps will help you remediate the misconfiguration where PubSub topics should be encrypted using CMEK in GCP using Python.
- First, ensure that you have the necessary permissions to create a new key ring and key in the Cloud KMS service.
- Next, you will need to create a new key ring and key in the Cloud KMS service. You can do this using the following Python code:
- Once you have created the key ring and key, you can use it to encrypt your PubSub topics. You can do this using the following Python code:
- Finally, you can verify that your PubSub topic is encrypted using CMEK by checking the topic details in the GCP Console or by using the following Python code: