More Info:

Ensure that the use of Google-managed encryption keys for Cloud SQL database instances is disabled at the GCP organization level in order to enforce the use of Customer-Managed Keys (CMKs) and have full control over SQL database encryption/decryption process.

Risk Level

Medium

Address

Security, Operational Maturity

Compliance Standards

ISO27001, HIPAA

Remediation

Using Console

To remediate the misconfiguration of “Restrict Default Google-Managed Encryption for Cloud SQL Instances” in GCP using GCP console, follow the below steps:

  1. Login to your GCP console.

  2. Navigate to the Cloud SQL Instances page.

  3. Select the instance for which you want to remediate the misconfiguration.

  4. Click on the “Edit” button at the top of the page.

  5. Scroll down to the “Encryption” section.

  6. Under the “Encryption in transit” section, select “Require SSL” option.

  7. Under the “Encryption at rest” section, select “Customer-managed encryption key” option.

  8. Provide the required details for Customer-managed encryption key, such as key name, key version and key location.

  9. Click on the “Save” button to save the changes.

  10. Verify the changes by checking the “Encryption” section on the Cloud SQL instance page.

By following the above steps, you have successfully remediated the misconfiguration of “Restrict Default Google-Managed Encryption for Cloud SQL Instances” in GCP using GCP console.

Using CLI

To remediate the misconfiguration of “Restrict Default Google-Managed Encryption for Cloud SQL Instances” for GCP using GCP CLI, you need to follow the below steps:

  1. Open the Google Cloud Shell by clicking on the Activate Cloud Shell button present on the top right corner of the Google Cloud Console.

  2. Once you have opened the Google Cloud Shell, run the following command to set the project where you want to remediate the misconfiguration:

    gcloud config set project [PROJECT_ID]

    Replace [PROJECT_ID] with the ID of the project where you want to remediate the misconfiguration.

  3. Next, run the following command to list all the Cloud SQL instances in the project:

    gcloud sql instances list

  4. Identify the Cloud SQL instance for which you want to remediate the misconfiguration and note down its name.

  5. Run the following command to update the Cloud SQL instance configuration and restrict default Google-managed encryption:

    gcloud sql instances patch [INSTANCE_NAME] --require-ssl --backup-start-time 00:00

    Replace [INSTANCE_NAME] with the name of the Cloud SQL instance for which you want to remediate the misconfiguration.

  6. After running the above command, the default Google-managed encryption will be restricted for the Cloud SQL instance.

    Note: The above command also enforces SSL connections and sets the backup start time to 00:00.

By following the above steps, you can remediate the misconfiguration of “Restrict Default Google-Managed Encryption for Cloud SQL Instances” for GCP using GCP CLI.

Using Python

To remediate the “Restrict Default Google-Managed Encryption for Cloud SQL Instances” misconfiguration in GCP using Python, you can follow the below steps:

  1. Import the necessary libraries:
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials
  1. Authenticate and authorize the client:
credentials = GoogleCredentials.get_application_default()
service = discovery.build('sqladmin', 'v1beta4', credentials=credentials)
  1. Get the list of Cloud SQL instances:
project_id = 'YOUR_PROJECT_ID'
instances = service.instances().list(project=project_id).execute()
  1. Iterate over the instances and update the settings:
for instance in instances['items']:
    instance_name = instance['name']
    settings = instance['settings']
    settings['dataDiskEncryptionEnabled'] = True
    settings['dataDiskEncryptionCipher'] = 'AES_256'
    settings['backupConfiguration']['binaryLogEnabled'] = False
    settings['backupConfiguration']['enabled'] = True
    settings['backupConfiguration']['pointInTimeRecoveryEnabled'] = True
    settings['backupConfiguration']['replicationLogArchivingEnabled'] = False
    settings['backupConfiguration']['startTime'] = '00:00'
    settings['backupConfiguration']['transactionLogRetentionDays'] = 7
    settings['ipConfiguration']['authorizedNetworks'] = []
    settings['ipConfiguration']['ipv4Enabled'] = True
    settings['ipConfiguration']['privateNetwork'] = 'default'
    settings['ipConfiguration']['requireSsl'] = True
    settings['locationPreference']['zone'] = 'YOUR_PREFERRED_ZONE'
    settings['maintenanceWindow']['day'] = 1
    settings['maintenanceWindow']['hour'] = 0
    settings['pricingPlan'] = 'PER_USE'
    settings['settingsVersion'] = '1'
    settings['storageAutoResize'] = True
    settings['storageAutoResizeLimit'] = '0'
    settings['tier'] = 'db-n1-standard-1'
    settings['userLabels'] = {}
    request = service.instances().update(project=project_id, instance=instance_name, body={'settings': settings})
    response = request.execute()
    print('Instance {} updated.'.format(instance_name))
  1. Save the Python script and run it using the command:
python script_name.py

This will remediate the “Restrict Default Google-Managed Encryption for Cloud SQL Instances” misconfiguration in GCP.