Detections
Analytics

5.9.1 Enable Customer-Managed Encryption Keys (CMEK) for GKE Persistent Disks (PD)

Information

Use Customer-Managed Encryption Keys (CMEK) to encrypt node boot and dynamically-provisioned attached Google Compute Engine Persistent Disks (PDs) using keys managed within Cloud Key Management Service (Cloud KMS).

Rationale:

GCE persistent disks are encrypted at rest by default using envelope encryption with keys managed by Google. For additional protection, users can manage the Key Encryption Keys using Cloud KMS.

Impact:

Encryption of dynamically-provisioned attached disks requires the use of the self-provisioned Compute Engine Persistent Disk CSI Driver v0.5.1 or higher.

If CMEK is being configured with a regional cluster, the cluster must run GKE 1.14 or higher.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

This cannot be remediated by updating an existing cluster. The node pool must either be recreated or a new cluster created.
Using Google Cloud Console:
FOR NODE BOOT DISKS:
To create a new node pool:

Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list

Select Kubernetes clusters for which node boot disk CMEK is disabled.

Click ADD NODE POOL.

In the Nodes section, under machine configuration, ensure Boot disk type is Standard persistent disk or SSD persistent disk.

Select Enable customer-managed encryption for Boot Disk and select the Cloud KMS encryption key to be used.

Click CREATE.

To create a new cluster:

Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list

Click CREATE and click 'CONFIGURE for the required cluster mode.

Under NODE POOLS, expand the default-pool list and click Nodes.

In the Configure node settings pane, select Standard persistent disk or SSD Persistent Disk as the Boot disk type.

Select Enable customer-managed encryption for Boot Disk check box and choose the Cloud KMS encryption key to be used.

Configure the rest of the cluster settings as required.

Click CREATE.

FOR ATTACHED DISKS:
This is not possible using Google Cloud Console.
Using Command Line:
FOR NODE BOOT DISKS:
Create a new node pool using customer-managed encryption keys for the node boot disk, of <disk_type> either pd-standard or pd-ssd:

gcloud container node-pools create <cluster_name> --disk-type <disk_type> --boot-disk-kms-key projects/<key_project_id>/locations/<location>/keyRings/<ring_name>/cryptoKeys/<key_name>

Create a cluster using customer-managed encryption keys for the node boot disk, of <disk_type> either pd-standard or pd-ssd:

gcloud container clusters create <cluster_name> --disk-type <disk_type> --boot-disk-kms-key projects/<key_project_id>/locations/<location>/keyRings/<ring_name>/cryptoKeys/<key_name>

FOR ATTACHED DISKS:
Follow the instructions detailed at: https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek.

Default Value:

Persistent disks are encrypted at rest by default, but are not encrypted using Customer-Managed Encryption Keys by default. By default, the Compute Engine Persistent Disk CSI Driver is not provisioned within the cluster.

See Also

https://workbench.cisecurity.org/benchmarks/13178

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|14.8

Plugin: GCP

Control ID: f2e946ff834d71ee66cfbf7630873267e8686d912b0379bd272f22e02c248a1f