More Info:
Ensure Spanner Database Backups are encrypted with Customer Managed KeysRisk Level
MediumAddress
Reliability, SecurityCompliance Standards
SOC2, GDPR, ISO27001, HIPAA, HITRUST, NISTCSF, PCIDSSTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of Spanner Database Backup not being encrypted with customer-managed keys in GCP, follow these steps:
- Go to the GCP Console and navigate to the Spanner instance whose backup you want to encrypt.
- Click on the “Backups” tab in the left-hand menu.
- Find the backup that needs to be encrypted and click on its name.
- Click on the “Encryption” tab in the top menu.
- Click on the “Edit” button.
- Select “Customer-managed key” from the “Encryption type” dropdown.
- Choose the appropriate key from the “Key name” dropdown.
- Click on the “Save” button to save the changes.
- Verify that the backup is now encrypted with the customer-managed key by checking the “Encryption” tab.
- Repeat these steps for any other Spanner backups that need to be encrypted with customer-managed keys.
Using CLI
Using CLI
To remediate this misconfiguration in GCP, you can follow these steps using GCP CLI:
-
First, you need to create a new key ring and key using the following command:
Replace
[KEY_RING_NAME]
,[LOCATION]
, and[KEY_NAME]
with your own values. -
Next, you need to grant the Cloud Spanner service account permission to use the key by adding the
cloudkms.cryptoKeyEncrypterDecrypter
role to the service account. You can use the following command:Replace[PROJECT_ID]
and[SERVICE_ACCOUNT_EMAIL]
with your own values. -
Now, you need to configure Cloud Spanner to use the customer-managed encryption key by updating the backup configuration. You can use the following command:
Replace
[BACKUP_ID]
and[KEY_NAME]
with your own values. -
Finally, you need to verify that the backup configuration has been updated successfully by running the following command:
This command should return the details of the backup configuration, including the encryption configuration.
Using Python
Using Python
To remediate the misconfiguration “Spanner Database Backup Should Be Encrypted With Customer Managed Keys” for GCP using Python, you can follow these steps:This will ensure that your Spanner database backups are encrypted with a customer-managed encryption key in Google Cloud KMS.
- Create a Customer Managed Encryption Key (CMEK) in Google Cloud KMS. This key will be used to encrypt the backups. You can use the following code to create a CMEK:
- Enable backup encryption for your Spanner instance. You can use the following code to enable backup encryption:
- Verify that backup encryption is enabled for your Spanner instance. You can use the following code to verify backup encryption: