Spanner Databases Should Be Encrypted
More Info:
Ensure spanner databases are encryptedRisk Level
CriticalAddress
Reliability, SecurityCompliance Standards
SOC2, GDPR, ISO27001, HIPAA, HITRUST, NISTCSF, PCIDSSTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of unencrypted Spanner databases on GCP, follow these steps:
- Open the GCP Console and go to the Spanner instance that needs to be remediated.
- Click on the Spanner instance to open its details page.
- Click on the “Databases” tab to view the list of databases in the Spanner instance.
- Select the database that needs to be encrypted and click on its name to open its details page.
- Click on the “Encryption” tab to view the encryption settings for the database.
- If the encryption is not enabled, click on the “Edit” button to enable it.
- In the “Edit database” dialog box, select the checkbox for “Encrypt this database”.
- Choose the “Customer-managed encryption key” option and select the key that you want to use for encryption.
- Click on the “Save” button to save the changes.
- Verify that the encryption is enabled by checking the “Encryption” tab again.
- Repeat the above steps for all the unencrypted Spanner databases in the instance.
Using CLI
Using CLI
To remediate this misconfiguration for GCP using GCP CLI, you can follow the below steps:Replace Replace Replace Replace Replace
- Open the Google Cloud Console and select the project where the Spanner database is located.
- Open the Cloud Shell by clicking on the icon at the top right corner of the console.
- Run the following command to enable the Cloud KMS API:
- Create a new keyring for the Spanner database encryption by running the following command:
<keyring-name> with a name of your choice.- Create a new key for the Spanner database encryption by running the following command:
<key-name> with a name of your choice and <keyring-name> with the name of the keyring created in the previous step.- Grant the Cloud Spanner service account access to use the key by running the following command:
<key-name> with the name of the key created in step 5 and <keyring-name> with the name of the keyring created in step 4. Also, replace <service-account-email> with the email address of the Cloud Spanner service account.- Encrypt the Spanner database by running the following command:
<database-id> with the ID of the Spanner database and <service-account-email> with the email address of the Cloud Spanner service account.- Verify that the Spanner database is encrypted by running the following command:
<database-id> with the ID of the Spanner database.If the command returns the KMS key name, then the database is encrypted. If it returns an empty string, then the database is not encrypted.By following these steps, you can remediate the misconfiguration and encrypt the Spanner database in GCP using GCP CLI.Using Python
Using Python
To remediate the misconfiguration “Spanner Databases Should Be Encrypted” for GCP using Python, you can follow the below steps:Note: Replace the
- Open the Google Cloud Console and navigate to the Spanner Databases page.
- Select the database that you want to encrypt.
- Click on the “Encryption” tab.
- Click on the “Edit” button.
- Select the “Customer-managed key” option.
- Choose the key that you want to use for encryption.
- Click on the “Save” button.
- Now, open the Cloud Shell in your GCP project.
- Run the following command to install the Google Cloud Client Library for Python:
- Run the following Python code to enable encryption for the selected database:
instance_id, database_id, key_name, and your-project-id/your-key-location/your-key-ring/your-key-name with your respective values.- Once the code is executed successfully, the selected Spanner database will be encrypted with the specified customer-managed key.