id: gcloud-sql-cmk-not-enabled

info:
  name: Cloud SQL Instance Encryption with Customer-Managed Keys Not Enabled
  author: princechaddha
  severity: high
  description: |
    Ensure that your Google Cloud SQL database instances are encrypted with Customer-Managed Keys (CMKs) in order to have a fine control over your data encryption and decryption process. You can create and manage your own Customer-Managed Keys (CMKs) with Cloud Key Management Service (Cloud KMS). Cloud KMS provides secure and efficient encryption key management, controlled key rotation, and revocation mechanisms.
  impact: |
    Not encrypting Google Cloud SQL database instances with Customer-Managed Keys (CMKs) can result in reduced security, lack of control over encryption keys, and potential regulatory compliance issues.
  remediation: |
    Configure Cloud SQL instances to use Customer-Managed Keys (CMKs) for encryption by enabling encryption with Cloud KMS and specifying a key for each database instance.
  reference:
    - https://cloud.google.com/sql/docs/mysql/configure-cmek
  tags: cloud,devops,gcp,gcloud,google-cloud-sql,gcp-cloud-config

flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
    for(let sqlInstance of iterate(template.sqlInstances)){
      set("sqlInstance", sqlInstance)
      code(3)
    }
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"

    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'

  - engine:
      - sh
      - bash
    source: |
      gcloud sql instances list --project $projectId --format="json(name)"

    extractors:
      - type: json
        name: sqlInstances
        internal: true
        json:
          - '.[].name'

  - engine:
      - sh
      - bash
    source: |
      gcloud sql instances describe $sqlInstance --format="json(diskEncryptionConfiguration.kmsKeyName)"

    matchers:
      - type: word
        words:
          - 'null'

    extractors:
      - type: dsl
        dsl:
          - '"Cloud SQL instance " + sqlInstance + " in project " + projectId + " is not encrypted with a Customer-Managed Key (CMK)"'
# digest: 490a00463044022061f465091cd3c0744fc5199132afb1775e1d5ae15fac094126f9eeb7a73274bf022043d24e1922c77cb22341441259ab36071c88fe08fec777edeba29beeca77085c:922c64590222798bb761d5b6d8e72950