More Info:

Ensure spanner databases are encrypted

Risk Level

Critical

Address

Reliability, Security

Compliance Standards

SOC2, GDPR, ISO27001, HIPAA, HITRUST, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of unencrypted Spanner databases on GCP, follow these steps:
  1. Open the GCP Console and go to the Spanner instance that needs to be remediated.
  2. Click on the Spanner instance to open its details page.
  3. Click on the “Databases” tab to view the list of databases in the Spanner instance.
  4. Select the database that needs to be encrypted and click on its name to open its details page.
  5. Click on the “Encryption” tab to view the encryption settings for the database.
  6. If the encryption is not enabled, click on the “Edit” button to enable it.
  7. In the “Edit database” dialog box, select the checkbox for “Encrypt this database”.
  8. Choose the “Customer-managed encryption key” option and select the key that you want to use for encryption.
  9. Click on the “Save” button to save the changes.
  10. Verify that the encryption is enabled by checking the “Encryption” tab again.
  11. Repeat the above steps for all the unencrypted Spanner databases in the instance.
By following these steps, you can remediate the misconfiguration of unencrypted Spanner databases on GCP using the GCP Console.

To remediate this misconfiguration for GCP using GCP CLI, you can follow the below steps:
  1. Open the Google Cloud Console and select the project where the Spanner database is located.
  2. Open the Cloud Shell by clicking on the icon at the top right corner of the console.
  3. Run the following command to enable the Cloud KMS API:
gcloud services enable cloudkms.googleapis.com
  1. Create a new keyring for the Spanner database encryption by running the following command:
gcloud kms keyrings create <keyring-name> --location global
Replace <keyring-name> with a name of your choice.
  1. Create a new key for the Spanner database encryption by running the following command:
gcloud kms keys create <key-name> --keyring <keyring-name> --location global --purpose encryption
Replace <key-name> with a name of your choice and <keyring-name> with the name of the keyring created in the previous step.
  1. Grant the Cloud Spanner service account access to use the key by running the following command:
gcloud kms keys add-iam-policy-binding <key-name> --keyring <keyring-name> --location global --member serviceAccount:<service-account-email> --role roles/cloudkms.cryptoKeyEncrypterDecrypter
Replace <key-name> with the name of the key created in step 5 and <keyring-name> with the name of the keyring created in step 4. Also, replace <service-account-email> with the email address of the Cloud Spanner service account.
  1. Encrypt the Spanner database by running the following command:
gcloud spanner databases set-iam-policy <database-id> --member serviceAccount:<service-account-email> --role roles/spanner.databaseEncrypterDecrypter
Replace <database-id> with the ID of the Spanner database and <service-account-email> with the email address of the Cloud Spanner service account.
  1. Verify that the Spanner database is encrypted by running the following command:
gcloud spanner databases describe <database-id> --format="value(encryptionConfig.kmsKeyName)"
Replace <database-id> with the ID of the Spanner database.If the command returns the KMS key name, then the database is encrypted. If it returns an empty string, then the database is not encrypted.By following these steps, you can remediate the misconfiguration and encrypt the Spanner database in GCP using GCP CLI.
To remediate the misconfiguration “Spanner Databases Should Be Encrypted” for GCP using Python, you can follow the below steps:
  1. Open the Google Cloud Console and navigate to the Spanner Databases page.
  2. Select the database that you want to encrypt.
  3. Click on the “Encryption” tab.
  4. Click on the “Edit” button.
  5. Select the “Customer-managed key” option.
  6. Choose the key that you want to use for encryption.
  7. Click on the “Save” button.
  8. Now, open the Cloud Shell in your GCP project.
  9. Run the following command to install the Google Cloud Client Library for Python: 
pip install --upgrade google-cloud-spanner
  1. Run the following Python code to enable encryption for the selected database:
from google.cloud import spanner_v1

client = spanner_v1.SpannerClient()

instance_id = 'your-instance-id'
database_id = 'your-database-id'
key_name = 'projects/your-project-id/locations/your-key-location/keyRings/your-key-ring/cryptoKeys/your-key-name'

database = client.database_path(instance_id, database_id)
encryption_config = {'kms_key_name': key_name}

operation = client.update_database_ddl(database, ['ALTER DATABASE SET ENCRYPTION = %s' % (encryption_config,)])
print('Waiting for operation to complete...')
operation.result()
print('Database encrypted.')
Note: Replace the instance_id, database_id, key_name, and your-project-id/your-key-location/your-key-ring/your-key-name with your respective values.
  1. Once the code is executed successfully, the selected Spanner database will be encrypted with the specified customer-managed key.
I hope this helps!