Customer Master Keys (CMKs) Should Be Used

More Info:

Delete any disabled KMS Customer Master Keys (CMKs) and remove them in order to lower costs.

Risk Level

Low

Address

Reliability, Security

Compliance Standards

NIST

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Customer Master Keys (CMKs) Should Be Used” for GCP using GCP CLI, follow these steps:

Open the Google Cloud Console and navigate to the Cloud Key Management Service (KMS) page.
Create a new key ring and key for your project if you haven’t already done so.
Use the following command to create a new symmetric key for your project:
```
gcloud kms keys create <KEY-NAME> --location <LOCATION> --keyring <KEY-RING-NAME> --purpose encryption
```
Replace <KEY-NAME>, <LOCATION>, and <KEY-RING-NAME> with the appropriate values for your project.
Use the following command to encrypt your data using the new key:
```
gcloud kms encrypt --plaintext-file=<PLAINTEXT-FILE> --ciphertext-file=<CIPHERTEXT-FILE> --location=<LOCATION> --keyring=<KEY-RING-NAME> --key=<KEY-NAME>
```
Replace <PLAINTEXT-FILE>, <CIPHERTEXT-FILE>, <LOCATION>, <KEY-RING-NAME>, and <KEY-NAME> with the appropriate values for your project.
Update your application or service to use the new encrypted data.
Verify that the new key is being used to encrypt and decrypt your data by checking the Cloud KMS audit logs.

By following these steps, you can remediate the misconfiguration “Customer Master Keys (CMKs) Should Be Used” for GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Customer Master Keys (CMKs) Should Be Used” in GCP using Python, you can follow the below steps:

Import the necessary libraries:

from googleapiclient import discovery
from oauth2client.client import GoogleCredentials

Authenticate and create a client object:

credentials = GoogleCredentials.get_application_default()
service = discovery.build('cloudkms', 'v1', credentials=credentials)

List all the key rings:

key_rings = service.projects().locations().keyRings().list(parent='projects/[PROJECT_ID]/locations/[LOCATION]').execute()

Note: Replace [PROJECT_ID] and [LOCATION] with your project ID and location respectively.

Loop through each key ring and list all the crypto keys:

for key_ring in key_rings['keyRings']:
    crypto_keys = service.projects().locations().keyRings().cryptoKeys().list(parent=key_ring['name']).execute()

Check if the crypto key has a customer-managed encryption key:

for crypto_key in crypto_keys['cryptoKeys']:
    if crypto_key['purpose'] == 'ENCRYPT_DECRYPT' and 'customerManagedEncryption' not in crypto_key:
        # Create a new customer-managed encryption key
        # Update the crypto key to use the new key

If the crypto key does not have a customer-managed encryption key, create a new one:

key_ring_name = key_ring['name'].split('/')[-1]
location = key_ring['name'].split('/')[-3]
key_name = 'new-customer-key'

request_body = {
    'purpose': 'ENCRYPT_DECRYPT',
    'versionTemplate': {
        'algorithm': 'GOOGLE_SYMMETRIC_ENCRYPTION',
    },
    'encryptionAlgorithm': 'GOOGLE_SYMMETRIC_ENCRYPTION',
    'protectionLevel': 'SOFTWARE',
    'customerManagedEncryption': {
        'kmsKeyName': 'projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/{}/cryptoKeys/{}'.format(key_ring_name, key_name)
    }
}

response = service.projects().locations().keyRings().cryptoKeys().create(parent='projects/[PROJECT_ID]/locations/{}'.format(location), body=request_body).execute()

Update the crypto key to use the new customer-managed encryption key:

update_body = {
    'cryptoKey': {
        'name': crypto_key['name'],
        'purpose': crypto_key['purpose'],
        'versionTemplate': crypto_key['versionTemplate'],
        'nextRotationTime': crypto_key['nextRotationTime'],
        'rotationPeriod': crypto_key['rotationPeriod'],
        'labels': crypto_key['labels'],
        'customerManagedEncryption': {
            'kmsKeyName': 'projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/{}/cryptoKeys/{}'.format(key_ring_name, key_name)
        }
    },
    'updateMask': 'customerManagedEncryption'
}

response = service.projects().locations().keyRings().cryptoKeys().patch(name=crypto_key['name'], body=update_body).execute()

Note: Replace [PROJECT_ID] and [LOCATION] with your project ID and location respectively.By following these steps, you can remediate the misconfiguration “Customer Master Keys (CMKs) Should Be Used” in GCP using Python.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Customer Master Keys (CMKs) Should Be Used

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation