Triage and Remediation
Remediation
Using Console
Using Console
Sure! Here are the step by step instructions to remediate the misconfiguration “SQL Instances Should Be Encrypted Using Customer Managed Keys (CMKs)” for GCP using GCP console:
- Open the GCP console and navigate to the Cloud SQL instances page.
- Select the SQL instance that you want to encrypt.
- Click on the “Edit” button at the top of the page.
- Scroll down to the “Encryption” section and select the option “Customer-managed key”.
- Choose the key ring and key that you want to use for encryption. If you don’t have a key, create one by clicking on the “Create” button.
- Click on the “Save” button to save the changes.
Using CLI
Using CLI
To remediate the misconfiguration of SQL instances not being encrypted using customer managed keys (CMKs) in GCP using GCP CLI, follow these steps:
- Open the Cloud Shell in the GCP console.
-
Use the following command to list all the Cloud SQL instances in your project:
- Choose the instance that you want to encrypt and note down its instance name.
-
Use the following command to encrypt the SQL instance using a customer-managed encryption key:
Replace
[INSTANCE_NAME]with the name of your SQL instance,[SIZE]with the desired storage size in GB,[STORAGE_TYPE]with the desired storage type,[NETWORK_NAME]with the name of the authorized network,[DATABASE_VERSION]with the desired database version,[DAY_OF_WEEK]with the preferred day of the week for maintenance,[HOUR_OF_DAY]with the preferred hour of the day for maintenance,[RELEASE_CHANNEL]with the preferred release channel for maintenance, and[KEY_NAME]with the name of the customer-managed encryption key. - Once you have executed the command, the SQL instance will be encrypted using the customer-managed encryption key.
-
Verify the encryption status of the SQL instance using the following command:
You should see the
encryptionKeyNameproperty set to the name of your customer-managed encryption key.
Using Python
Using Python
To remediate the misconfiguration of SQL instances not being encrypted using customer-managed keys (CMKs) in GCP, you can use the following steps:Replace Replace Replace
- Create a new Cloud KMS key ring and key to use as the CMK. You can do this using the following Python code:
project_id, location_id, key_ring_id, and crypto_key_id with your own values.- Update the SQL instance to use the newly created CMK. You can do this using the following Python code:
project_id, instance_id, location_id, key_ring_id, and crypto_key_id with your own values.- Verify that the SQL instance is now using the CMK for encryption. You can do this using the following Python code:
instance_name with your own value.These steps will remediate the misconfiguration of SQL instances not being encrypted using customer-managed keys (CMKs) in GCP.