cloud/gcp/sql/gcloud-sql-cmk-not-enabled.yaml

id: gcloud-sql-cmk-not-enabled

info:
  name: Cloud SQL Instance Encryption with Customer-Managed Keys Not Enabled
  author: princechaddha
  severity: high
  description: |
    Ensure that your Google Cloud SQL database instances are encrypted with Customer-Managed Keys (CMKs) in order to have a fine control over your data encryption and decryption process. You can create and manage your own Customer-Managed Keys (CMKs) with Cloud Key Management Service (Cloud KMS). Cloud KMS provides secure and efficient encryption key management, controlled key rotation, and revocation mechanisms.
  impact: |
    Not encrypting Google Cloud SQL database instances with Customer-Managed Keys (CMKs) can result in reduced security, lack of control over encryption keys, and potential regulatory compliance issues.
  remediation: |
    Configure Cloud SQL instances to use Customer-Managed Keys (CMKs) for encryption by enabling encryption with Cloud KMS and specifying a key for each database instance.
  reference:
    - https://cloud.google.com/sql/docs/mysql/configure-cmek
  tags: cloud,devops,gcp,gcloud,google-cloud-sql,gcp-cloud-config

flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
    for(let sqlInstance of iterate(template.sqlInstances)){
      set("sqlInstance", sqlInstance)
      code(3)
    }
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"

    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'

  - engine:
      - sh
      - bash
    source: |
      gcloud sql instances list --project $projectId --format="json(name)"

    extractors:
      - type: json
        name: sqlInstances
        internal: true
        json:
          - '.[].name'

  - engine:
      - sh
      - bash
    source: |
      gcloud sql instances describe $sqlInstance --format="json(diskEncryptionConfiguration.kmsKeyName)"

    matchers:
      - type: word
        words:
          - 'null'

    extractors:
      - type: dsl
        dsl:
          - '"Cloud SQL instance " + sqlInstance + " in project " + projectId + " is not encrypted with a Customer-Managed Key (CMK)"'
# digest: 490a00463044022061f465091cd3c0744fc5199132afb1775e1d5ae15fac094126f9eeb7a73274bf022043d24e1922c77cb22341441259ab36071c88fe08fec777edeba29beeca77085c:922c64590222798bb761d5b6d8e72950
Added GCP Templates 2025-01-15 17:13:24 +05:30			`id: gcloud-sql-cmk-not-enabled`

			`info:`
			`name: Cloud SQL Instance Encryption with Customer-Managed Keys Not Enabled`
			`author: princechaddha`
			`severity: high`
			`description: \|`
			`Ensure that your Google Cloud SQL database instances are encrypted with Customer-Managed Keys (CMKs) in order to have a fine control over your data encryption and decryption process. You can create and manage your own Customer-Managed Keys (CMKs) with Cloud Key Management Service (Cloud KMS). Cloud KMS provides secure and efficient encryption key management, controlled key rotation, and revocation mechanisms.`
			`impact: \|`
			`Not encrypting Google Cloud SQL database instances with Customer-Managed Keys (CMKs) can result in reduced security, lack of control over encryption keys, and potential regulatory compliance issues.`
			`remediation: \|`
			`Configure Cloud SQL instances to use Customer-Managed Keys (CMKs) for encryption by enabling encryption with Cloud KMS and specifying a key for each database instance.`
			`reference:`
			`- https://cloud.google.com/sql/docs/mysql/configure-cmek`
			`tags: cloud,devops,gcp,gcloud,google-cloud-sql,gcp-cloud-config`
Revert "chore: update TemplateMan 🤖" This reverts commit c31d574176f2b9e6f8d4fe573a24e7192f808e84. 2025-05-27 10:39:47 +08:00
Added GCP Templates 2025-01-15 17:13:24 +05:30			`flow: \|`
			`code(1)`
			`for(let projectId of iterate(template.projectIds)){`
			`set("projectId", projectId)`
			`code(2)`
			`for(let sqlInstance of iterate(template.sqlInstances)){`
			`set("sqlInstance", sqlInstance)`
			`code(3)`
			`}`
			`}`

			`self-contained: true`

			`code:`
			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`gcloud projects list --format="json(projectId)"`

			`extractors:`
			`- type: json`
			`name: projectIds`
			`internal: true`
			`json:`
			`- '.[].projectId'`

			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`gcloud sql instances list --project $projectId --format="json(name)"`

			`extractors:`
			`- type: json`
			`name: sqlInstances`
			`internal: true`
			`json:`
			`- '.[].name'`

			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`gcloud sql instances describe $sqlInstance --format="json(diskEncryptionConfiguration.kmsKeyName)"`

			`matchers:`
			`- type: word`
			`words:`
			`- 'null'`

			`extractors:`
			`- type: dsl`
			`dsl:`
			`- '"Cloud SQL instance " + sqlInstance + " in project " + projectId + " is not encrypted with a Customer-Managed Key (CMK)"'`
chore: sign templates 🤖 2025-04-24 09:39:11 +00:00			`# digest: 490a00463044022061f465091cd3c0744fc5199132afb1775e1d5ae15fac094126f9eeb7a73274bf022043d24e1922c77cb22341441259ab36071c88fe08fec777edeba29beeca77085c:922c64590222798bb761d5b6d8e72950`