Google Cloud SQL

SQL Instance Customer-Managed Encryption Disabled

Ensures that SQL instances have CMEK encryption enabled.

Risk Level: Low

Description

This plugin ensures that the Google Cloud SQL instances are encrypted using Customer-Managed Encryption. CMEK gives you more control over the key operations compared to the Google-managed encryption keys. These keys can be created by the users using the Google Cloud Key Management Service. They can be used to encrypt the object’s data, the object’s CRC32C checksum, and the MD5 hash.

About the Service

Google Cloud SQL:

Google Cloud SQL is a relational database for MySQL, PostgreSQL, and SQL Server that is fully managed. It automates database provisioning, storage capacity management, replication, and backups while lowering maintenance costs. It can be set up easily using the built-in migration tools and lets you scale your instances effortlessly. To know more about Cloud SQL, read here

Impact

Google-Managed Encryption Keys is the default encryption provided whenever a new SQL instance is created. However, GMEKs offer very little flexibility and make everything is transparent to the client. CMEKs, on the other hand, allow the user to tailor the encryption to their specific requirements, resulting in greater security.

Steps to Reproduce

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to SQL. You can use this link here to navigate directly if you’re already logged in.
  4. Select the Instance ID of the SQL instance you want to investigate from the list of instances available and click on the OVERVIEW tab to check the configuration settings.

  5. Under the Configuration section, check if any configuration information is specified about Encryption with a Customer-managed key. If not, then the selected SQL instance is not encrypted with a CMEK.
  6. Repeat steps 4 and 5 for all the SQL instances you want to investigate in the selected project.
  7. If you have multiple projects, repeat steps 2 to 6 for each project in your GCP Console. 

Steps for Remediation

Determine whether or not you truly require customer-managed encryption to be disabled. If not, make the necessary changes to enable it using the steps below.
Note: It is not possible to update the encryption of an existing SQL instance. Instead, a new instance can be created with the same configurations to replace it. 


Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. To encrypt your storage buckets using customer-managed keys, make sure that you first create a new key that can be used for this.
    NOTE: If you already have a CMEK that you wish to use, skip to step 10.
  4. From the navigation panel on the left side of the console, go to Security under the More products section and select Key management. You can click this link here to navigate directly if you’re already logged in.
  5. To create a key, you must first create a key ring. Click on the CREATE KEY RING button on the top bar. 

    NOTE: If you already have a key ring created that you wish to use, skip to step 7.
  6. In the Create key ring page, enter your desired Key ring name and select your preferred location type. Click the CREATE button to create the new key ring.
  7. Go to the newly created key ring and select the CREATE KEY button to create a new key.
  8. In the Create key page, select Generated key as the type of key you wish to create. Next, enter your preferred key name, choose your desired protection level, and select purpose as Symmetric encrypt/decrypt.
  9. Choose your required configurations for the key rotation period and click on CREATE to create the key.
  10. From the navigation panel on the left side of the console, go to SQL. You can use this link here to navigate directly if you’re already logged in.
  11. Select the ID of the SQL instance you want to reconfigure in the list of instances available and note down all its configuration settings. (In case you aren’t sure which SQL instance needs to be configured, follow the steps to reproduce listed above to determine which to choose.)
  12. Go back to the SQL instances page and click on the CREATE INSTANCE button. In the Choose your database engine section, select your desired instance depending on the instance you are re-creating.
  13. Fill in your desired values for the Instance ID and Password fields and the rest of the configurations according to the original instance.
  14. Next, click on Show configuration options to further customize the instance.

  15. Click on STORAGE and then click on ADVANCED ENCRYPTION OPTIONS to configure the encryption.

  16. Under Encryption, check the Use a customer-managed encryption key (CMEK) option. From the drop-down dox available to select a key, select your desired key. If no valid keys are found, click on can’t see your key? Enter key resource name to enter your key resource name.
  17. In the Enter key resource name pop-up box, enter your desired key resource in the specified format and click SAVE.

    Note: To find the resource name of the key, go to the navigation panel on the left side of the console and click to Security under the All products section, and select Key management. Select your desired key ring and from the list of keys in that particular keyring, click the actions button (three-dot icon) and select the copy resource name option.
  18. Configure the rest of the settings based on the original instance and click CREATE INSTANCE to create the new instance.
  19.  Once the SQL instance starts running, go to the original instance and click on the EXPORT button on the top navigation bar.
  20. In the Export data to Cloud Storage page, select your desired specifications and click on EXPORT.
  21. Go back to the newly created instance and click on the IMPORT button on the top bar.
  22. Enter the source and destination details as well as your desired file format and click on IMPORT to import the data into the newly created SQL instance.
  23. Finally, delete the original instance to avoid unwanted billing charges. To do so, click on the DELETE button on the top bar of the original instance, confirm the deletion in the pop-up box, and click on DELETE.
  24. Repeat steps 4 to 24 for all the SQL instances you want to reconfigure in the selected project.
  25. If you have multiple projects, repeat steps 2 to 25 for each project in your GCP console.