cloud/gcp/resourcemanager/gcloud-org-sql-default-encryption.yaml

id: gcloud-org-sql-default-encryption

info:
  name: Default Google-Managed Encryption for Cloud SQL Not Restricted
  author: princechaddha
  severity: medium
  description: |
    Ensure that the use of Google-managed encryption keys for Cloud SQL database instances is disabled at the GCP organization level in order to enforce the use of Customer-Managed Keys (CMKs) and have full control over SQL database encryption/decryption process. Note: This organization policy is not retroactive, therefore any existing database instances using Google-managed encryption are not impacted unless they are updated or refreshed.
  impact: |
    By default, Google-managed encryption is allowed for all Cloud SQL instances. Without enforcing CMK usage, you have less control over the encryption keys that protect your SQL databases.
  remediation: |
    Enable the "Restrict Default Google-Managed Encryption for Cloud SQL Instances" policy at the organization level using the 'gcloud alpha resource-manager org-policies enable-enforce' command with the sql.disableDefaultEncryptionCreation constraint.
  reference:
    - https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ResourceManager/restrict-default-encryption-for-sql-instances.html
    - https://cloud.google.com/sql/docs/mysql/customer-managed-encryption-keys
  tags: cloud,devops,gcp,gcloud,resourcemanager,security,sql,encryption,cmk,gcp-cloud-config

flow: |
  code(1)
  for(let orgId of iterate(template.orgIds)){
    set("orgId", orgId)
    code(2)
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud organizations list --format="json(name)"

    extractors:
      - type: json
        name: orgIds
        internal: true
        json:
          - '.[].name'

  - engine:
      - sh
      - bash
    source: |
      gcloud alpha resource-manager org-policies describe sql.disableDefaultEncryptionCreation --organization=$orgId --effective --format="json(booleanPolicy)"

    matchers:
      - type: word
        words:
          - "{}"

    extractors:
      - type: dsl
        dsl:
          - '"Organization " + orgId + " has not disabled default Google-managed encryption for Cloud SQL instances"'
# digest: 490a004630440220760e07a25881e95d2eb87587533b0006f50a3852c3f5931147ccebc88903316d02200148c895cf90b515d22e6e9371ab75c1e71c3202615ed1c6b8b1589b175696d1:922c64590222798bb761d5b6d8e72950
added checks for other services 2025-01-28 23:56:03 +04:00			`id: gcloud-org-sql-default-encryption`

			`info:`
			`name: Default Google-Managed Encryption for Cloud SQL Not Restricted`
			`author: princechaddha`
			`severity: medium`
			`description: \|`
			`Ensure that the use of Google-managed encryption keys for Cloud SQL database instances is disabled at the GCP organization level in order to enforce the use of Customer-Managed Keys (CMKs) and have full control over SQL database encryption/decryption process. Note: This organization policy is not retroactive, therefore any existing database instances using Google-managed encryption are not impacted unless they are updated or refreshed.`
			`impact: \|`
			`By default, Google-managed encryption is allowed for all Cloud SQL instances. Without enforcing CMK usage, you have less control over the encryption keys that protect your SQL databases.`
			`remediation: \|`
			`Enable the "Restrict Default Google-Managed Encryption for Cloud SQL Instances" policy at the organization level using the 'gcloud alpha resource-manager org-policies enable-enforce' command with the sql.disableDefaultEncryptionCreation constraint.`
			`reference:`
			`- https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ResourceManager/restrict-default-encryption-for-sql-instances.html`
			`- https://cloud.google.com/sql/docs/mysql/customer-managed-encryption-keys`
			`tags: cloud,devops,gcp,gcloud,resourcemanager,security,sql,encryption,cmk,gcp-cloud-config`
Revert "chore: update TemplateMan 🤖" This reverts commit c31d574176f2b9e6f8d4fe573a24e7192f808e84. 2025-05-27 10:39:47 +08:00
added checks for other services 2025-01-28 23:56:03 +04:00			`flow: \|`
			`code(1)`
			`for(let orgId of iterate(template.orgIds)){`
			`set("orgId", orgId)`
			`code(2)`
			`}`

			`self-contained: true`

			`code:`
			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`gcloud organizations list --format="json(name)"`

			`extractors:`
			`- type: json`
			`name: orgIds`
			`internal: true`
			`json:`
			`- '.[].name'`

			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`gcloud alpha resource-manager org-policies describe sql.disableDefaultEncryptionCreation --organization=$orgId --effective --format="json(booleanPolicy)"`

			`matchers:`
			`- type: word`
			`words:`
			`- "{}"`

			`extractors:`
			`- type: dsl`
			`dsl:`
enhancements 2025-04-24 13:07:59 +05:30			`- '"Organization " + orgId + " has not disabled default Google-managed encryption for Cloud SQL instances"'`
chore: sign templates 🤖 2025-04-24 09:39:11 +00:00			`# digest: 490a004630440220760e07a25881e95d2eb87587533b0006f50a3852c3f5931147ccebc88903316d02200148c895cf90b515d22e6e9371ab75c1e71c3202615ed1c6b8b1589b175696d1:922c64590222798bb761d5b6d8e72950`