GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Spanner Database Backup Should Be Encrypted With Customer Managed Keys
More Info:
Ensure Spanner Database Backups are encrypted with Customer Managed Keys
Risk Level
Medium
Address
Reliability, Security
Compliance Standards
SOC2, GDPR, ISO27001, HIPAA, HITRUST, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration of Spanner Database Backup not being encrypted with customer-managed keys in GCP, follow these steps:
-
Go to the GCP Console and navigate to the Spanner instance whose backup you want to encrypt.
-
Click on the “Backups” tab in the left-hand menu.
-
Find the backup that needs to be encrypted and click on its name.
-
Click on the “Encryption” tab in the top menu.
-
Click on the “Edit” button.
-
Select “Customer-managed key” from the “Encryption type” dropdown.
-
Choose the appropriate key from the “Key name” dropdown.
-
Click on the “Save” button to save the changes.
-
Verify that the backup is now encrypted with the customer-managed key by checking the “Encryption” tab.
-
Repeat these steps for any other Spanner backups that need to be encrypted with customer-managed keys.
By following these steps, you can remediate the misconfiguration of Spanner Database Backup not being encrypted with customer-managed keys in GCP.
To remediate this misconfiguration in GCP, you can follow these steps using GCP CLI:
-
First, you need to create a new key ring and key using the following command:
gcloud kms keyrings create [KEY_RING_NAME] --location [LOCATION] gcloud kms keys create [KEY_NAME] --location [LOCATION] --keyring [KEY_RING_NAME] --purpose encryptionReplace
[KEY_RING_NAME],[LOCATION], and[KEY_NAME]with your own values. -
Next, you need to grant the Cloud Spanner service account permission to use the key by adding the
cloudkms.cryptoKeyEncrypterDecrypterrole to the service account. You can use the following command:gcloud projects add-iam-policy-binding [PROJECT_ID] --member serviceAccount:[SERVICE_ACCOUNT_EMAIL] --role roles/cloudkms.cryptoKeyEncrypterDecrypter --condition=NoneReplace
[PROJECT_ID]and[SERVICE_ACCOUNT_EMAIL]with your own values. -
Now, you need to configure Cloud Spanner to use the customer-managed encryption key by updating the backup configuration. You can use the following command:
gcloud spanner backups update [BACKUP_ID] --encryption-config kms-key-name=[KEY_NAME] --encryption-type customer-managedReplace
[BACKUP_ID]and[KEY_NAME]with your own values. -
Finally, you need to verify that the backup configuration has been updated successfully by running the following command:
gcloud spanner backups describe [BACKUP_ID]This command should return the details of the backup configuration, including the encryption configuration.
By following these steps, you can remediate the misconfiguration and ensure that your Spanner database backups are encrypted with customer-managed keys in GCP.
To remediate the misconfiguration “Spanner Database Backup Should Be Encrypted With Customer Managed Keys” for GCP using Python, you can follow these steps:
- Create a Customer Managed Encryption Key (CMEK) in Google Cloud KMS. This key will be used to encrypt the backups. You can use the following code to create a CMEK:
from google.cloud import kms_v1
from google.cloud.kms_v1 import enums
client = kms_v1.KeyManagementServiceClient()
# Set the Key Ring and Key ID
key_ring_id = 'your-key-ring-id'
key_id = 'your-key-id'
# Set the Key Purpose
purpose = enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
# Create the Key
parent = client.key_ring_path('[PROJECT]', key_ring_id)
response = client.create_crypto_key(parent, key_id, {'purpose': purpose})
print('Created key: {}'.format(response.name))
- Enable backup encryption for your Spanner instance. You can use the following code to enable backup encryption:
from google.cloud import spanner_admin_database_v1
# Set the instance and database IDs
instance_id = 'your-instance-id'
database_id = 'your-database-id'
# Set the backup configuration
backup_config = {
'encryption_config': {
'kms_key_name': 'projects/[PROJECT]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY]'
}
}
# Update the backup configuration
database_admin_client = spanner_admin_database_v1.DatabaseAdminClient()
database_name = database_admin_client.database_path('[PROJECT]', instance_id, database_id)
operation = database_admin_client.update_backup(database_name, backup_config)
print('Backup encryption enabled: {}'.format(operation))
- Verify that backup encryption is enabled for your Spanner instance. You can use the following code to verify backup encryption:
from google.cloud import spanner_admin_database_v1
# Set the instance and database IDs
instance_id = 'your-instance-id'
database_id = 'your-database-id'
# Get the database backup configuration
database_admin_client = spanner_admin_database_v1.DatabaseAdminClient()
database_name = database_admin_client.database_path('[PROJECT]', instance_id, database_id)
backup_info = database_admin_client.get_backup_info(database_name)
print('Backup encryption enabled: {}'.format(backup_info.encryption_info.encryption_type))
This will ensure that your Spanner database backups are encrypted with a customer-managed encryption key in Google Cloud KMS.