Restrict Default Google-Managed Encryption for Cloud SQL Instances (Deprecated)

Status: Deprecated

“Restrict default Google-managed encryption on Cloud SQL instances” (sql.disableDefaultEncryptionCreation) policy is being deprecated by Google Cloud, therefore the policy may not appear in new/certain accounts. For more information on rule deprecation, see here.

Risk Level: Medium (should be achieved)

Ensure that the use of Google-managed encryption keys for Cloud SQL database instances is disabled at the GCP organization level in order to enforce the use of Customer-Managed Keys (CMKs) and have full control over SQL database encryption/decryption process.

Security

By default, the "Restrict Default Google-Managed Encryption for Cloud SQL Instances" constraint policy is disabled and Google-managed encryption is allowed for all Cloud SQL instances. Once this constraint policy is enabled, Google Cloud Platform requires all newly created, restarted, or updated Cloud SQL database instances to use Customer-Managed Keys (CMKs) for encryption at rest. Instead of letting Google to manage the encryption keys that protect your SQL databases, you can use your own encryption keys using Cloud KMS service.

Note: This organization policy is not retroactive, therefore any existing database instances using Google-managed encryption are not impacted unless they are updated or refreshed.

Audit

To determine if the use of Google-managed encryption keys for Cloud SQL instances is disabled within your GCP organizations, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the list with the cloud organization policies available for your GCP organization.

05 Click inside the Filter by policy name or ID filter box, select Name and Restrict default Google-managed encryption on Cloud SQL instances to return the "Restrict Default Google-Managed Encryption for Cloud SQL Instances" policy.

06 Click on the name of the organization policy returned at the previous step.

07 On the Policy details page, under Effective policy, check the Enforcement configuration attribute status. If the Enforcement attribute status is set to Not enforced, the "Restrict Default Google-Managed Encryption for Cloud SQL Instances" constraint policy is not enforced within the selected Google Cloud organization.

08 Repeat steps no. 2 – 7 for each organization available in your Google Cloud account.

Using GCP CLI

01 Run organizations list command (Windows/macOS/Linux) using custom query filters to list the ID of each organization available within your Google Cloud account:

gcloud organizations list
    --format="table(name)"

02 The command output should return the requested organization identifiers (IDs):

ID
112233441122
123412341234

03 Run resource-manager org-policies describe command (Windows/macOS/Linux) using the ID of the GCP organization that you want to examine as identifier parameter, to describe the enforcement configuration of the "Restrict Default Google-Managed Encryption for Cloud SQL Instances" policy (i.e. "sql.disableDefaultEncryptionCreation" constraint), available for the selected organization:

gcloud alpha resource-manager org-policies describe
"sql.disableDefaultEncryptionCreation"
    --effective
    --organization=112233441122
    --format="table(booleanPolicy)"

04 The command request should return the requested configuration information:

BOOLEAN_POLICY
{}

If the resource-manager org-policies describe command output returns an empty object for the BOOLEAN_POLICY configuration attribute, as shown in the example above, the "Restrict Default Google-Managed Encryption for Cloud SQL Instances" constraint policy is not enforced within the selected Google Cloud organization.

05 Repeat step no. 3 and 4 for each organization created within your Google Cloud account.

Remediation / Resolution

To enforce the use of Customer-Managed Keys (CMKs) for Cloud SQL instances encryption at the GCP organization level, enable the "Restrict Default Google-Managed Encryption for Cloud SQL Instances" policy by performing the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to reconfigure.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the list with the cloud organization policies available for your organization.

05 Click inside the Filter by policy name or ID box, select Name and Restrict default Google-managed encryption on Cloud SQL instances to list only the "Restrict Default Google-Managed Encryption for Cloud SQL Instances" policy.

06 Click on the name of the organization policy listed at the previous step.

07 On the Policy details page, click on the EDIT button from the dashboard top menu to edit the selected policy.

08 On the Edit policy configuration page, perform the following operations:

Under Applies to, select Customize to choose the type of the policy to apply (i.e. customized policy).
Under Enforcement, select On to enable the "sql.disableDefaultEncryptionCreation" constraint. This constraint forces all the newly created, restarted, or updated Cloud SQL database instances within the selected organization to use Customer-Managed Keys (CMKs) for encryption at rest.
Click SAVE to apply the changes and enforce the "Restrict Default Google-Managed Encryption for Cloud SQL Instances" organization policy.

09 If required, repeat steps no. 2 – 8 to enable the policy for other organizations available in your Google Cloud account.

Using GCP CLI

01 Run resource-manager org-policies enable-enforce command (Windows/macOS/Linux) using the ID of the Google Cloud Platform (GCP) organization that you want to reconfigure as identifier parameter, to enforce the "Restrict Default Google-Managed Encryption for Cloud SQL Instances" constraint policy for the selected organization:

gcloud alpha resource-manager org-policies enable-enforce "sql.disableDefaultEncryptionCreation"
    --organization=112233441122

02 The command request should return the reconfigured organization policy metadata:

booleanPolicy:
  enforced: true
constraint: constraints/sql.disableDefaultEncryptionCreation
etag: abcdabcdabcd
updateTime: '2020-09-04T10:00:00.000Z'

03 If required, repeat step no. 1 and 2 to enforce the policy for other organizations created within your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
Resource Manager
Using constraints
Organization policy constraints
Creating and managing organization policies

GCP Command Line Interface (CLI) Documentation
gcloud organizations list
gcloud alpha resource-manager org-policies describe
gcloud alpha resource-manager org-policies enable-enforce

Publication date May 10, 2021

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related ResourceManager rules