Spanner Databases Should Be Encrypted With Customer Managed Keys

Using Console

Using CLI

To remediate the misconfiguration “Spanner Databases Should Be Encrypted With Customer Managed Keys” in GCP using GCP CLI, follow the below steps:

Open the Cloud Shell in the GCP Console.
Run the following command to check if any Spanner instances are not encrypted with customer-managed keys:
```
gcloud spanner instances list --filter="encryptionConfig.kmsKeyName:missing"
```
If any Spanner instances are found that are not encrypted with customer-managed keys, then create a new key ring using the following command:
```
gcloud kms keyrings create [KEYRING_NAME] --location [LOCATION]
```
Replace [KEYRING_NAME] with the desired name for your key ring and [LOCATION] with the desired location for your key ring.
Create a new key in the key ring using the following command:
```
gcloud kms keys create [KEY_NAME] --keyring [KEYRING_NAME] --location [LOCATION] --purpose encryption
```
Replace [KEY_NAME] with the desired name for your key and [KEYRING_NAME] and [LOCATION] with the values you used in step 3.
Grant the Cloud Spanner service account the cloudkms.cryptoKeyEncrypterDecrypter role on the key you just created using the following command:
```
gcloud kms keys add-iam-policy-binding [KEY_NAME] --keyring [KEYRING_NAME] --location [LOCATION] --member serviceAccount:[SERVICE_ACCOUNT_EMAIL] --role roles/cloudkms.cryptoKeyEncrypterDecrypter
```
Replace [KEY_NAME] and [KEYRING_NAME] with the values you used in step 4, and replace [LOCATION] with the location of your key ring. Also, replace [SERVICE_ACCOUNT_EMAIL] with the email address of the Cloud Spanner service account.
Update the Spanner instance to use the customer-managed key using the following command:
```
gcloud spanner instances update [INSTANCE_ID] --encryption-config kms-key-name=projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING_NAME]/cryptoKeys/[KEY_NAME]
```
Replace [INSTANCE_ID] with the ID of the Spanner instance you want to update, [PROJECT_ID] with the ID of your GCP project, [LOCATION] with the location of your key ring, and [KEYRING_NAME] and [KEY_NAME] with the values you used in step 4.
Verify that the Spanner instance is now encrypted with the customer-managed key using the following command:
```
gcloud spanner instances describe [INSTANCE_ID] --format="value(encryptionConfig.kmsKeyName)"
```
Replace [INSTANCE_ID] with the ID of the Spanner instance you updated.

With these steps, you have successfully remediated the misconfiguration “Spanner Databases Should Be Encrypted With Customer Managed Keys” in GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Spanner Databases Should Be Encrypted With Customer Managed Keys” for GCP using Python, you can follow the below steps:

First, you need to create a new Cloud KMS key ring and key for use with Cloud Spanner. You can use the following Python code to create a new key ring and key:

from google.cloud import kms_v1

def create_key_ring(project_id, location_id, key_ring_id):
    client = kms_v1.KeyManagementServiceClient()
    parent = f"projects/{project_id}/locations/{location_id}"
    key_ring = client.create_key_ring(request={"parent": parent, "key_ring_id": key_ring_id})
    print(f"Created key ring: {key_ring.name}")
    return key_ring

def create_crypto_key(project_id, location_id, key_ring_id, crypto_key_id):
    client = kms_v1.KeyManagementServiceClient()
    parent = f"projects/{project_id}/locations/{location_id}/keyRings/{key_ring_id}"
    purpose = kms_v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
    crypto_key = client.create_crypto_key(request={"parent": parent, "crypto_key_id": crypto_key_id, "purpose": purpose})
    print(f"Created crypto key: {crypto_key.name}")
    return crypto_key

Next, you need to enable customer-managed encryption for Cloud Spanner using the newly created key. You can use the following Python code to enable customer-managed encryption:

from google.cloud import spanner_v1

def enable_customer_managed_encryption(instance_id, project_id, location_id, key_ring_id, crypto_key_id):
    client = spanner_v1.InstanceAdminClient()
    instance_name = f"projects/{project_id}/instances/{instance_id}"
    encryption_config = {"kms_key_name": f"projects/{project_id}/locations/{location_id}/keyRings/{key_ring_id}/cryptoKeys/{crypto_key_id}"}
    update_mask = {"paths": ["encryption_config"]}
    operation = client.update_instance(request={"instance": {"name": instance_name, "encryption_config": encryption_config}, "update_mask": update_mask})
    print(f"Enabled customer-managed encryption for instance: {instance_id}")
    return operation.result()

Finally, you need to verify that customer-managed encryption is enabled for the Cloud Spanner instance. You can use the following Python code to check the encryption status:

def check_encryption_status(instance_id, project_id):
    client = spanner_v1.InstanceAdminClient()
    instance_name = f"projects/{project_id}/instances/{instance_id}"
    instance = client.get_instance(request={"name": instance_name})
    encryption_config = instance.encryption_config
    if encryption_config.kms_key_name:
        print(f"Customer-managed encryption is enabled for instance: {instance_id}")
    else:
        print(f"Customer-managed encryption is not enabled for instance: {instance_id}")

By following these steps, you can remediate the misconfiguration “Spanner Databases Should Be Encrypted With Customer Managed Keys” for GCP using Python.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Spanner Databases Should Be Encrypted With Customer Managed Keys

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation