Triage and Remediation
Remediation
Using Console
Using Console
To remediate this misconfiguration for GCP using GCP console, follow these steps:
- Log in to the Google Cloud Console.
- Navigate to the Cloud Storage page.
- Select the bucket that needs to be encrypted.
- Click on the “Edit bucket details” button.
- Scroll down to the “Encryption” section.
- Select “Customer-managed key” from the drop-down menu.
- Choose the key that you want to use to encrypt the bucket.
- Click on the “Save” button to apply the changes.
- Repeat the above steps for all the buckets that need to be encrypted using customer-managed keys.
Using CLI
Using CLI
To remediate the bucket encryption misconfiguration in GCP using GCP CLI, follow these steps:
- Open the Google Cloud Console and select the project containing the bucket that needs to be encrypted using a customer-managed key.
- Open the Cloud Shell by clicking on the icon in the top right corner of the console.
-
In the Cloud Shell, run the following command to enable the Cloud KMS API:
-
Next, create a new customer-managed key (CMK) by running the following command:
Replace
[KEYRING-NAME]with a name for your keyring,[LOCATION]with the location where you want to create the key, and[KEY-NAME]with a name for your key. -
Now, update the bucket to use the newly created CMK by running the following command:
Replace
[KEY-NAME]with the name of the CMK you created in step 4 and[BUCKET-NAME]with the name of the bucket that needs to be encrypted. -
Finally, verify that the bucket is encrypted using the CMK by running the following command:
Look for the
kms_key_namefield in the output to confirm that the bucket is encrypted using the CMK you created.
Using Python
Using Python
To remediate this misconfiguration for GCP using Python, you can follow these steps:Note: Replace By following these steps, you can remediate the misconfiguration of GCP buckets not being encrypted with customer-managed keys.
-
Install the
google-cloud-storagelibrary using pip. - Authenticate with your GCP account using the following command:
- List all the buckets in your project using the following command:
- For each bucket, check if it is encrypted using a customer-managed key (CMK) by checking the bucket’s
encryptionproperty:
- If the bucket is not encrypted with a customer-managed key, create a new key using the following command:
my-cmk, us-central1, and my-keyring with your own values.- Enable encryption with the new CMK for the bucket using the following command:
- Verify that the bucket is now encrypted with a customer-managed key: