Detections
Analytics

5.9.1 Enable Customer-Managed Encryption Keys (CMEK) for GKE Persistent Disks (PD)

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Use Customer-Managed Encryption Keys (CMEK) to encrypt node boot and dynamically-provisioned attached Google Compute Engine Persistent Disks (PDs) using keys managed within Cloud Key Management Service (Cloud KMS).

Rationale:

GCE persistent disks are encrypted at rest by default using envelope encryption with keys managed by Google. For additional protection, users can manage the Key Encryption Keys using Cloud KMS.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

This cannot be remediated by updating an existing cluster. You must either recreate the desired node pool or create a new cluster.

Using Google Cloud Console

FOR NODE BOOT DISKS:
To create a new node pool:

Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list

Select Kubernetes clusters for which node boot disk CMEK is disabled

Click ADD NODE POOL

Ensure Boot disk type is 'Standard persistent disk' or 'SSD persistent disk'

Select 'Enable customer-managed encryption for Boot Disk' and select the Cloud KMS encryption key you desire

Click SAVE.

To create a new cluster:

Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list

Click CREATE CLUSTER

Under the 'default-pool' heading, click 'More options'

In the Node pool edit window, select 'Standard persistent disk' or 'SSD Persistent Disk' as the Boot disk type

Select 'Enable customer-managed encryption for Boot Disk' check box and choose the Cloud KMS encryption key you desire

Configure the rest of the cluster settings as desired

Click CREATE.

Click Save.

FOR ATTACHED DISKS:
This is not possible using Google Cloud Console.

Using Command Line:

FOR NODE BOOT DISKS:
Create a new node pool using customer-managed encryption keys for the node boot disk, of [DISK_TYPE] either pd-standard or pd-ssd:

gcloud beta container node-pools create [CLUSTER_NAME]
--disk-type [DISK_TYPE]
--boot-disk-kms-key projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]

Create a cluster using customer-managed encryption keys for the node boot disk, of [DISK_TYPE] either pd-standard or pd-ssd:

gcloud beta container clusters create [CLUSTER_NAME]
--disk-type [DISK_TYPE]
--boot-disk-kms-key projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]

FOR ATTACHED DISKS:
Follow the instructions detailed at https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek.

Impact:

While GKE CMEK is in beta, encryption of dynamically-provisioned attached disks requires the use of the self-provisioned Compute Engine Persistent Disk CSI Driver v0.5.1 or higher.

If you are configuring CMEK with a regional cluster, the cluster must run GKE 1.14 or higher.

Default Value:

Persistent disks are encrypted at rest by default, but are not encrypted using Customer-Managed Encryption Keys by default. By default, the Compute Engine Persistent Disk CSI Driver is not provisioned within the cluster.

See Also

https://workbench.cisecurity.org/files/2764

Item Details

References: CSCv7|14.8

Plugin: Unix

Control ID: 32eef689327de14d37f79b0b62b00948e437c7393ba9aba25bb66081af9fe459