KMS Key Should Have Unique Key In DB Tier

​

More Info:

Ensure that there is a KMS Key in the Database-tier in order to protect the data-at-rest that is available in the web stack.

​

Risk Level

Medium

​

Address

Security

​

Compliance Standards

CBP

​

Remediation

​

Using Console

To remediate the KMS Key Should Have Unique Key In DB Tier misconfiguration in GCP using GCP Console, please follow the steps below:

1. Login to the GCP Console and navigate to the Cloud KMS page.
2. Select the key ring that contains the KMS key that is used in the DB tier.
3. Click on the KMS key that is used in the DB tier.
4. Click on the “Permissions” tab.
5. Check if there are any unnecessary or redundant IAM roles or members that have access to the KMS key.
6. Remove any unnecessary or redundant IAM roles or members by clicking on the “X” button next to their names.
7. Click on the “Add Member” button to add a new member to the KMS key.
8. Add the service account that is used by the DB tier to the KMS key and grant it the “Cloud KMS CryptoKey Encrypter/Decrypter” role.
9. Click on the “Save” button to save the changes.

By following the above steps, you will ensure that the KMS key used in the DB tier has a unique key and is only accessible by the necessary service account.

​

Using CLI

To remediate the misconfiguration “KMS Key Should Have Unique Key In DB Tier” in GCP using GCP CLI, you can follow the below steps:

1. Identify the KMS key associated with the DB tier. You can do this by running the following command:

   gcloud kms keys list --location=<location> --keyring=<keyring>
   

   Replace <location> and <keyring> with the location and keyring name where the KMS key is stored.

2. Check if the KMS key is associated with the DB tier by running the following command:

   gcloud sql instances describe <instance-name> --format=json | jq '.settings.settingsVersion' | grep -q kmsKeyName
   

   Replace <instance-name> with the name of the Cloud SQL instance.

3. If the KMS key is associated with the DB tier, create a new KMS key and associate it with the DB tier. You can do this by running the following commands:

   gcloud kms keyrings create <keyring-name> --location=<location>
   gcloud kms keys create <kms-key-name> --location=<location> --keyring=<keyring-name> --purpose=encryption
   gcloud sql instances patch <instance-name> --backup-configuration kms-key-name=projects/<project-id>/locations/<location>/keyRings/<keyring-name>/cryptoKeys/<kms-key-name>
   

   Replace <keyring-name>, <location>, <kms-key-name>, <instance-name>, and <project-id> with appropriate values.

4. Verify that the new KMS key is associated with the DB tier by running the following command:

   gcloud sql instances describe <instance-name> --format=json | jq '.settings.settingsVersion' | grep -q <kms-key-name>
   

   Replace <instance-name> and <kms-key-name> with appropriate values.

Once you have completed the above steps, the misconfiguration “KMS Key Should Have Unique Key In DB Tier” will be remediated for GCP.

​

Using Python

To remediate the KMS Key Should Have Unique Key In DB Tier misconfiguration in GCP using Python, you can follow these steps:

1. First, you need to identify the KMS key used in the DB tier. You can do this by checking the configuration of your database instance and looking for the KMS key used for encryption.

2. Next, you need to check if the KMS key is unique. You can do this by querying the Cloud KMS API for a list of all the KMS keys in your project and checking if the key used in the DB tier is unique.

3. If the KMS key is not unique, you need to create a new KMS key and update the configuration of your database instance to use the new key. You can use the Cloud KMS API to create a new key and update the configuration of your database instance using the Cloud SQL Admin API.

Here’s an example Python code that you can use to create a new KMS key and update the configuration of your database instance:

import google.auth
from google.cloud import kms_v1
from google.cloud.sql_v1beta4 import SqlInstancesServiceClient
from google.cloud.sql_v1beta4.types import SqlInstancesSetBackupEncryptionRequest

# Authenticate using the default credentials
credentials, project_id = google.auth.default()

# Create a KMS client
kms_client = kms_v1.KeyManagementServiceClient(credentials=credentials)

# Create a new KMS key
key_name = kms_client.key_ring_path(project_id, 'my-key-ring', 'my-key')
key = kms_client.create_crypto_key(key_name, kms_v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT)

# Update the configuration of your database instance to use the new key
instance_client = SqlInstancesServiceClient(credentials=credentials)
instance_name = 'projects/{}/instances/{}'.format(project_id, 'my-instance')
encryption_config = {
    'kms_key_name': key_name,
}
request = SqlInstancesSetBackupEncryptionRequest(
    instance=instance_name,
    project=project_id,
    body={
        'encryptionConfig': encryption_config,
    }
)
instance_client.set_backup_encryption(request=request)

Note: This is just an example code and you may need to modify it to fit your specific use case. Also, make sure to test the code in a non-production environment before applying it to your production environment.