Customer Supplied Encryption Key Should Be Enabled For Disks

More Info:

Ensures Customer Supplied Encryption Key is enabled on disks. Google encrypts all disks at rest by default. By using CSEK only authorized team members with the keys can access the disk. Anyone else, including Google, cannot access the disk data.

Risk Level

High

Address

Security

Compliance Standards

CISGCP, CBP, HITRUST, SOC2, GDPR, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the “Customer Supplied Encryption Key Should Be Enabled For Disks” misconfiguration in GCP using GCP CLI, you can follow the below steps:

Open the Cloud Shell in your GCP console.
Run the following command to check if the customer-supplied encryption key is enabled for the disks:
```
gcloud compute disks describe [DISK_NAME] --zone=[ZONE] --format="value(satisfiesPzs)"
```
Replace [DISK_NAME] with the name of the disk that you want to check and [ZONE] with the zone in which the disk is located.
If the output of the previous command is “False”, then the customer-supplied encryption key is not enabled for the disk. To enable it, run the following command:
```
gcloud compute disks add-iam-policy-binding [DISK_NAME] --zone=[ZONE] --member user:[USER_EMAIL] --role roles/compute.diskEncrypterDecrypter
```
Replace [DISK_NAME] with the name of the disk that you want to encrypt and [ZONE] with the zone in which the disk is located. Replace [USER_EMAIL] with the email address of the user who will be able to encrypt and decrypt the disk.
After running the above command, the customer-supplied encryption key will be enabled for the disk. You can verify it by running the following command:
```
gcloud compute disks describe [DISK_NAME] --zone=[ZONE] --format="value(satisfiesPzs)"
```
The output of the above command should be “True”, indicating that the customer-supplied encryption key is enabled for the disk.

By following the above steps, you can remediate the “Customer Supplied Encryption Key Should Be Enabled For Disks” misconfiguration in GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Customer Supplied Encryption Key Should Be Enabled For Disks” in GCP using Python, you can follow the below steps:Step 1: Install the required packages

!pip install google-cloud-storage google-auth google-auth-oauthlib google-auth-httplib2

Step 2: Authenticate to GCP

from google.colab import auth
auth.authenticate_user()

Step 3: Import the required libraries

from google.cloud import storage
from google.oauth2 import service_account

Step 4: Create a service account and grant it the required permissions

credentials = service_account.Credentials.from_service_account_file('<path-to-service-account-key>')

Step 5: Create a function to enable customer-supplied encryption key for disks

def enable_csek(project_id, zone, instance_name, disk_name, encryption_key):
    """
    This function enables customer-supplied encryption key for a disk in a GCP VM instance.
    """
    # Create the compute client
    compute_client = compute_v1.InstancesClient(credentials=credentials)
    
    # Get the instance resource URL
    instance_url = f'/projects/{project_id}/zones/{zone}/instances/{instance_name}'
    
    # Get the disk resource URL
    disk_url = f'/compute/v1/projects/{project_id}/zones/{zone}/disks/{disk_name}'
    
    # Create the disk encryption key resource
    disk_encryption_key_resource = {
        "rawKey": encryption_key,
        "rsaEncryptedKey": None,
        "kmsKeyName": None
    }
    
    # Create the disk resource with the customer-supplied encryption key
    disk_resource = {
        "sourceDisk": disk_url,
        "diskEncryptionKey": disk_encryption_key_resource,
        "autoDelete": False,
        "boot": False,
        "interface": "SCSI",
        "mode": "READ_WRITE",
        "autoResize": False,
        "sizeGb": None,
        "type": None
    }
    
    # Create the update mask
    update_mask = 'diskEncryptionKey'
    
    # Update the instance to enable customer-supplied encryption key for the disk
    operation = compute_client.attach_disk(instance=instance_url, disk=disk_resource, update_mask=update_mask)
    
    # Wait for the operation to complete
    operation.result()
    
    print(f'Successfully enabled customer-supplied encryption key for disk {disk_name} in instance {instance_name}.')

Step 6: Call the function to enable customer-supplied encryption key for the disk

enable_csek(project_id='<project-id>', zone='<zone>', instance_name='<instance-name>', disk_name='<disk-name>', encryption_key='<encryption-key>')

Note: Replace the placeholders <project-id>, <zone>, <instance-name>, <disk-name>, and <encryption-key> with the actual values for your GCP project.

Additional Reading:

https://cloud.google.com/compute/docs/disks/customer-supplied-encryption

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Customer Supplied Encryption Key Should Be Enabled For Disks

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: