Google Cloud Storage

Bucket Customer-Managed Encryption Disabled

Ensures that storage buckets have CMEK encryption enabled.

Risk Level: Low

Description

This plugin ensures that the Google Cloud Storage buckets are encrypted using Customer-Managed Encryption. CMEK gives you more control over the key operations compared to the Google-managed encryption keys. These keys can be created by the users using the Google Cloud Key Management Service. They can be used to encrypt the object’s data, the object’s CRC32C checksum, and the MD5 hash.

About the Service

Google Cloud Storage:

Google Cloud Storage is a service that provides dependable and secure storage classes for any workload, allowing users to select cost-effective storage alternatives based on their requirements. You can effortlessly move data to Cloud storage and benefit from its strong security and scalability features. To know more, read here

Impact

Google-Managed Encryption Keys is the default encryption provided whenever a new storage bucket is created. However, GMEKs offer very little flexibility and make everything is transparent to the client. CMEKs, on the other hand, allow the user to tailor the encryption to their specific requirements, resulting in greater security.

Steps to Reproduce

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Cloud Storage and select Brower. You can use this link here to navigate directly if you’re already logged in.
  4. Select the storage bucket you want to investigate from the list of buckets displayed and go to the CONFIGURATION tab of the selected bucket.
  5. In the Protection section, check the value of the Encryption type. If the value is anything other than the Customer-managed key, then the selected storage bucket is not encrypted using CMEK.
  6. Repeat steps 4 and 5 for all the storage buckets you want to investigate in the selected project.
  7. If you have multiple projects, repeat steps 2 to 6 for each project in your GCP Console. 

Steps for Remediation

Determine whether or not you truly require customer-managed encryption to be disabled. If not, make the necessary changes to enable it using the steps below.


Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. To encrypt your storage buckets using customer-managed keys, make sure that you first create a new key that can be used for this.
    NOTE: If you already have a CMEK that you wish to use, skip to step 10.
  4. From the navigation panel on the left side of the console, go to Security under the More products section and select Key management. You can click this link here to navigate directly if you’re already logged in.
  5. To create a key, you must first create a key ring. Click on the CREATE KEY RING button on the top bar. 

    NOTE: If you already have a key ring created that you wish to use, skip to step 7.
  6. In the Create key ring page, enter your desired Key ring name and select your preferred location type. Click the CREATE button to create the new key ring.
  7. Go to the newly created key ring and select the CREATE KEY button to create a new key.
  8. In the Create key page, select Generated key as the type of key you wish to create. Next, enter your preferred key name, choose your desired protection level, and select purpose as Symmetric encrypt/decrypt.
  9. Choose your required configurations for the key rotation period and click on CREATE to create the key.
  10. From the navigation panel on the left side of the console, go to Cloud Storage and select Browser. You can use this link here to navigate directly if you’re already logged in.
  11. Select the storage bucket you want to reconfigure from the list of buckets displayed and go to the PROTECTION tab of the selected bucket. (In case you aren’t sure which storage bucket needs to be configured, follow the steps to reproduce listed above to determine which to choose.)
  12. In the Protection section, click on the edit icon next to the value of the Encryption type.
  13. In the Edit encryption pop-up box, check the User a customer-managed encryption key (CMEK) option. From the drop-down dox available to select a key, select your desired key. If no valid keys are found, click on can’t see your key? Enter key resource name to enter your key resource name.
  14. In the Enter key resource name pop-up box, enter your desired key resource in the specified format and click SAVE.

    Note: To find the resource name of the key, go to the navigation panel on the left side of the console and click to Security under the All products section, and select Key management. Select your desired key ring and from the list of keys in that particular keyring, click the actions button (three-dot icon) and select the copy resource name option.
  15. Repeat steps 3 to 14 for all the buckets you want to reconfigure in the selected project.
  16. If you have multiple projects, repeat steps 2 to 15 for each project in your GCP console.