Detections
Analytics

5.3.1 Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS

Information

Encrypt Kubernetes secrets, stored in etcd, at the application-layer using a customer-managed key in Cloud KMS.

Rationale:

By default, GKE encrypts customer content stored at rest, including Secrets. GKE handles and manages this default encryption for you without any additional action on your part.

Application-layer Secrets Encryption provides an additional layer of security for sensitive data, such as user defined Secrets and Secrets required for the operation of the cluster, such as service account keys, which are all stored in etcd.

Using this functionality, you can use a key, that you manage in Cloud KMS, to encrypt data at the application layer. This protects against attackers in the event that they manage to gain access to etcd.

Impact:

To use the Cloud KMS CryptoKey to protect etcd in the cluster, the 'Kubernetes Engine Service Agent' Service account must hold the 'Cloud KMS CryptoKey Encrypter/Decrypter' role.

Solution

To enable Application-layer Secrets Encryption, several configuration items are required. These include:

A key ring

A key

A GKE service account with Cloud KMS CryptoKey Encrypter/Decrypter role

Once these are created, Application-layer Secrets Encryption can be enabled on an existing or new cluster.
Using Google Cloud Console:
To create a key

Go to Cloud KMS by visiting https://console.cloud.google.com/security/kms.

Select CREATE KEY RING.

Enter a Key ring name and the region where the keys will be stored.

Click CREATE.

Enter a Key name and appropriate rotation period within the Create key pane.

Click CREATE.

To enable on a new cluster

Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.

Click CREATE CLUSTER, and choose the required cluster mode.

Within the Security heading, under CLUSTER, check Encrypt secrets at the application layer checkbox.

Select the kms key as the customer-managed key and, if prompted, grant permissions to the GKE Service account.

Click CREATE.

To enable on an existing cluster

Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.

Select the cluster to be updated.

Under the Details pane, within the Security heading, click on the pencil named Application-layer secrets encryption.

Enable Encrypt secrets at the application layer and choose a kms key.

Click SAVE CHANGES.

Using Command Line:
To create a key:
Create a key ring:

gcloud kms keyrings create <ring_name> --location <location> --project <key_project_id>

Create a key:

gcloud kms keys create <key_name> --location <location> --keyring <ring_name> --purpose encryption --project <key_project_id>

Grant the Kubernetes Engine Service Agent service account the Cloud KMS CryptoKey Encrypter/Decrypter role:

gcloud kms keys add-iam-policy-binding <key_name> --location <location> --keyring <ring_name> --member serviceAccount:<service_account_name> --role roles/cloudkms.cryptoKeyEncrypterDecrypter --project <key_project_id>

To create a new cluster with Application-layer Secrets Encryption:

gcloud container clusters create <cluster_name> --cluster-version=latest --zone <zone> --database-encryption-key projects/<key_project_id>/locations/<location>/keyRings/<ring_name>/cryptoKeys/<key_name> --project <cluster_project_id>

To enable on an existing cluster:

gcloud container clusters update <cluster_name> --zone <zone> --database-encryption-key projects/<key_project_id>/locations/<location>/keyRings/<ring_name>/cryptoKeys/<key_name> --project <cluster_project_id>

Default Value:

By default, Application-layer Secrets Encryption is disabled.

See Also

https://workbench.cisecurity.org/benchmarks/13178

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|14.8

Plugin: GCP

Control ID: ef9d307614b19cf98253f15788c5777cfad4b44dec944297abc5b8d44a0dc1bc