Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Object Encryption with Customer-Managed Keys

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Google Cloud Storage data is encrypted at rest using Customer-Managed Keys (CMKs) in order to have full control over your data encryption/decryption process. You can create, rotate, manage and destroy your own Customer-Managed Keys (CMKs) with the Cloud Key Management Service (Cloud KMS).

Security

By default, Google Cloud Storage service encrypts all data (objects) within your buckets using Google-managed encryption keys. However, if you want to fully control and manage bucket data encryption yourself, you can use your own Customer-Managed Keys (CMKs). Cloud KMS Customer-Managed Keys provide an additional encryption layer for your sensitive and confidential data, and are often used in organizations where compliance and security controls are more stringent.

Audit

To determine if your Cloud Storage buckets are configured to encrypt data using Customer-Managed Keys (CMKs), perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Storage dashboard at https://console.cloud.google.com/storage.

04 In the navigation panel, select Browser to access the list with all the Cloud Storage buckets created for the selected project.

05 Click on the name of the storage bucket that you want to examine.

06 Select the Overview tab to view the configuration details available for selected bucket.

07 On the Overview panel, check the Encryption type configuration attribute value. If the attribute value is different than Customer-managed key, the data within the selected Google Cloud Storage bucket is not encrypted using a Cloud KMS Customer-Managed Key (CMK).

08 Repeat step no. 5 – 7 for each storage bucket provisioned within the selected project.

09 Repeat steps no. 2 – 8 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
cc-web-project-112233
cc-mobile-project-111222

03 Run gsutil ls command (using gsutil Python tool) to list the identifier of each storage bucket created for the specified GCP project: 

gsutil ls -p cc-web-project-112233

04 The command output should return the requested storage resource name(s): 

gs://cc-webdata-bucket/
gs://cc-logging-bucket/
gs://cc-bigdata-bucket/

05 Run gsutil kms encryption command (using gsutil tool) using the name of the Cloud Storage bucket that you want to examine as identifier parameter, to describe the default encryption key configured for the selected bucket: 

gsutil kms encryption gs://cc-webdata-bucket/

06 The command output should return the requested encryption key identifier (ID): 

Default encryption key for gs://cc-webdata-bucket:

projects/cc-web-project-112233/locations/us/keyRings/cc-webdata-key-ring/cryptoKeys/cc-webdata-cmk

If the default encryption key returned by the gsutil kms encryption command output does not have the following format: "projects/<project-id>/locations/us/keyRings/<key-ring-name>/cryptoKeys/<key-name>", the data on the selected Google Cloud Storage bucket is not encrypted using a Customer-Managed Key (CMK).

07 Repeat step no. 5 and 6 for each storage bucket created for the selected project.

08 Repeat steps no. 3 – 7 for each project available within your Google Cloud account.

Remediation / Resolution

To enable encryption at rest using Cloud KMS Customer-Managed Keys (CMKs) for the data (objects) available in your Cloud Storage buckets, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 To create and configure your new Customer-Managed Key (CMK), perform the following:

  1. Navigate to Cloud Key Management Service (Cloud KMS) dashboard at https://console.cloud.google.com/security/kms.
  2. Before you can set up and manage any Customer-Managed Keys (CMKs), you must create a key ring. A KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific location. In the navigation panel, select Cryptographic Keys, and click on the CREATE KEY RING button to set up the required key ring and the new Customer-Managed Key (CMK).
  3. A key ring requires a name and location. On the Create key ring page, provide a unique name in the Key ring name box, then choose the appropriate location from the Key ring location dropdown list. The location can be either global or associated with a particular region. If the CMKs created later within the key ring will be used to encrypt/decrypt resources in a given region, select that region as the key ring location. Click CREATE to deploy the new key ring.
  4. On the Create key page, select Generated key as the type of the CMK that you want to create. Provide a name for your new key in the Key name box, choose the protection level (software or Hardware Security Module – HSM) that you want to use, select Symmetric encrypt/decrypt from the Purpose dropdown list to define the types of operations that your cryptographic key can perform, and configure the key rotation parameters. Click CREATE to deploy your new Cloud KMS Customer-Managed Key (CMK).

04 Navigate to Cloud Storage dashboard at https://console.cloud.google.com/storage.

05 In the navigation panel, select Browser to access the list with all the Cloud Storage buckets provisioned for the selected project.

06 Click on the name of the storage bucket that you want to reconfigure.

07 Click on the EDIT BUCKET button from the dashboard top menu to access the bucket's edit mode.

08 On the Edit bucket configuration page, click on Show advanced setting to expand the panel with the advanced setting available for the selected bucket.

09 Under Encryption, choose Customer-managed key option, and select the CMK created at step no. 3 from the Select a customer-managed key dropdown list.

10 Click Save to apply the configuration changes.

11 Repeat step no. 6 – 10 to configure encryption at rest with Customer-Managed Keys (CMKs) for other storage buckets available in the selected project.

12 Repeat steps no. 2 – 11 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Before you can set up and manage your Customer-Managed Keys (CMKs), you must create a key ring. A KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific Google Cloud location. Run kms keyrings create command (Windows/macOS/Linux) to create a new Cloud KMS key ring in the specified location. If the CMKs created later within this key ring will be used to encrypt/decrypt resources in a given region, select that region as the key ring location: 

gcloud kms keyrings create cc-webdata-key-ring
	--location=us
	--project=cc-web-project-112233
	--format="table(name)"

02 The command output should return the identifier (name) of the newly created key ring: 

NAME
projects/cc-web-project-112233/locations/us/keyRings/cc-webdata-key-ring

03 Run kms keys create command (Windows/macOS/Linux) to create a new Cloud KMS Customer-Managed Key (CMK) within the KMS key ring created at the previous steps: 

gcloud kms keys create cc-webdata-cmk
	--location=us
	--keyring=cc-webdata-key-ring
	--purpose=encryption
	--protection-level=software
	--rotation-period=90d
	--next-rotation-time=2020-10-10T12:00:00.0000Z
	--format="table(name)"

04 The command output should return the name (ID) of the new Customer-Managed Key (CMK): 

NAME
projects/cc-web-project-112233/locations/us/keyRings/cc-webdata-key-ring/cryptoKeys/cc-webdata-cmk

05 Run projects add-iam-policy-binding command (Windows/macOS/Linux) to assign the Cloud KMS "CryptoKey Encrypter/Decrypter" role to the Cloud Storage service account, in order to give the service account the permission to use your new CMK. Replace <kms-project-id> with the ID of the Google Cloud project where the Customer-Managed Keys are provisioned, and replace <project-number> with the project number of the Google Cloud project that is using your Cloud Storage buckets: 

gcloud projects add-iam-policy-binding <kms-project-id>
	--member serviceAccount:service-<project-number>@gs-project-accounts.iam.gserviceaccount.com
	--role roles/cloudkms.cryptoKeyEncrypterDecrypter

06 The command output should return the updated IAM policy (YAML format): 

Updated IAM policy for project <kms-project-id>.
bindings:
- members:
  - serviceAccount:service-<project-number>@gs-project-accounts.iam.gserviceaccount.com
  role: roles/cloudkms.cryptoKeyEncrypterDecrypter
- members:
  - user:admin@cloudrealisation.com
  role: roles/editor
- members:
  - serviceAccount:service-<project-number>@compute-system.iam.gserviceaccount.com
  - user:admin@cloudconformity.com
  role: roles/owner
etag: abcdabcdabcd
version: 1

07 Run gsutil kms encryption command (using gsutil Python tool) using the name of the Cloud Storage bucket that you want to reconfigure as identifier parameter and the name (ID) of your new Cloud KMS Customer-Managed Key as value for the --k parameter, to enable encryption at rest for the selected bucket, using Customer-Managed Keys (CMKs): 

gsutil kms encryption
	-k projects/cc-web-project-112233/locations/us/keyRings/cc-webdata-key-ring/cryptoKeys/cc-webdata-cmk gs://cc-webdata-bucket/

08 The output should return the gsutil kms encryption command request status: 

Authorized service account service-<project-number>@gs-project-accounts.iam.gserviceaccount.com to use key:
projects/cc-web-project-112233/locations/us/keyRings/cc-webdata-key-ring/cryptoKeys/cc-webdata-cmk

Setting default KMS key for bucket gs://cc-webdata-bucket...

09 Repeat step no. 7 and 8 to configure encryption with Customer-Managed Keys (CMKs) for other storage buckets created for the selected project.

10 Repeat steps no. 1 – 9 for each project available within your Google Cloud account.

References

Publication date Apr 21, 2021

Related CloudStorage rules