Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Logs Router Encryption with Customer-Managed Keys

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that Google Cloud Logs Router data is encrypted with Customer-Managed Keys (CMKs) in order to have full control over your data encryption and decryption process and help meet compliance requirements. You can create and manage your own Customer-Managed Keys (CMKs) with Cloud Key Management Service (Cloud KMS). Cloud KMS provides secure and efficient encryption key management, controlled key rotation, and revocation mechanisms.

Security

By default, the Google Cloud Logging service encrypts Logs Router data using Google-managed encryption keys. The cloud service manages this type of encryption without any additional actions from you and your application. However, if you want to fully control and manage logging data encryption yourself, you can use your own Customer-Managed Keys (CMKs). Also, if you need to achieve compliance or regulatory requirements, it is strongly recommended to encrypt your Google Cloud Logs Router data using customer-managed keys (CMKs).

Note: CMKs can be enabled for Logs Router data only at the GCP organization level. Once configured, it applies to all projects and folders within your Google Cloud organization.

Audit

To determine if your Google Cloud Logs Router data is encrypted with Customer-Managed Keys (CMKs), perform the following operations:

Note: Verifying encryption configuration for your Google Cloud Logs Router using Google Cloud Platform (GCP) Console is not currently supported.

Using GCP CLI

01 Run organizations list command (Windows/macOS/Linux) using custom query filters to list the identifiers (IDs) of all the organizations available within your Google Cloud Platform (GCP) account: 

gcloud organizations list
  --format="table(name)"

02 The command output should return the requested GCP organization identifiers: 

ID
123412341234
111122223333
112233441122

03 Run logging cmek-settings describe command (Windows/macOS/Linux) using the ID of the GCP organization that you want to examine as identifier parameter and custom query filters to describe the resource full resource identifier of the Customer-Managed Key used to encrypt the Google Cloud Logs Router data within the selected organization: 

gcloud alpha logging cmek-settings describe
  --organization=123412341234
  --format="json(kmsKeyName)"

04 The command output should return the resource ID of the CMK used to encrypt the Logs Router data: 

null

If the logging cmek-settings describe command output returns null, as shown in the example above, the data managed by Google Cloud Logs Router within the selected GCP organization is not encrypted with a Customer-Managed Key (CMK).

05 Repeat step no. 3 and 4 for each Google Cloud Platform (GCP) organization created in your Google Cloud account.

Remediation / Resolution

To enable encryption with Cloud KMS Customer-Managed Keys (CMKs) for your Logs Router data at the GCP organization level, perform the following operations:

Note: Enabling KMS CMK-based encryption for your Google Cloud Logs Router using Google Cloud Platform (GCP) Console is not currently supported.

Using GCP CLI

01 Before you can set up and manage your Customer-Managed Keys (CMKs), you must create a key ring. A Cloud KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific Google Cloud location. Run kms keyrings create command (Windows/macOS/Linux) to create a new Cloud KMS key ring in the specified location (in this case, the location used is "global"): 

gcloud kms keyrings create cc-logs-router-key-ring
  --location=global
  --project=cc-main-project-123123
  --format="table(name)"

02 The command output should return the identifier (name) of the newly created key ring: 

NAME
projects/cc-main-project-123123/locations/us/keyRings/cc-logs-router-key-ring

03 Run kms keys create command (Windows/macOS/Linux) to create a new Cloud KMS Customer-Managed Key (CMK) within the KMS key ring created at the previous steps: 

gcloud kms keys create cc-cloud-logs-router-cmk
  --location=global
  --keyring=cc-logs-router-key-ring
  --purpose=encryption
  --protection-level=software
  --rotation-period=90d
  --next-rotation-time=2020-7-17T10:00:00.0000Z
  --format="table(name)"

04 The command output should return the name of the new Customer-Managed Key (CMK): 

NAME
projects/cc-main-project-123123/locations/global/keyRings/cc-logs-router-key-ring/cryptoKeys/cc-cloud-logs-router-cmk

05 Run kms keys add-iam-policy-binding command (Windows/macOS/Linux) to add a policy binding to the IAM policy of the newly created Customer-Managed Key in order to assign the Cloud KMS "CryptoKey Encrypter/Decrypter" role to the necessary service account: 

gcloud kms keys add-iam-policy-binding cc-cloud-logs-router-cmk
  --keyring=cc-logs-router-key-ring
  --location=global
  --member=serviceAccount:o123412341234-112233@gcp-sa-logging.iam.gserviceaccount.com
  --role roles/cloudkms.cryptoKeyEncrypterDecrypter

06 The command output should return the updated IAM policy (YAML format): 

Updated IAM policy for key [cc-cloud-logs-router-cmk].
bindings:
- members:
	- serviceAccount:o123412341234-112233@gcp-sa-logging.iam.gserviceaccount.com
	role: roles/cloudkms.cryptoKeyEncrypterDecrypter
	- user:admin@cloudconformity.com
	role: roles/owner
etag: abcdabcdabcd
version: 1

07 Customer-Managed Keys (CMKs) for Google Cloud Logs Router can only be configured for GCP organizations. Once configured, it applies to all projects and folders within the specified organization. Run logging cmek-settings update command (Windows/macOS/Linux) using the ID of the GCP organization that you want to reconfigure as identifier parameter, to update the Cloud Logging settings for the selected organization in order to encrypt the Logs Router data with the Customer-Managed Key (CMK) created at step no. 3 (the command does not produce an output): 

gcloud alpha logging cmek-settings update
  --organization=123412341234
  --kms-key-name=projects/cc-main-project-123123/locations/global/keyRings/cc-logs-router-key-ring/cryptoKeys/cc-cloud-logs-router-cmk

08 Repeat step no. 7 to enable CMK-based encryption for the Logs Router available within each GCP organization created in your Google Cloud account.

References

Publication date May 4, 2021

Related CloudLogging rules