Skip to main content

๐Ÿ›ก๏ธ Google Dataproc Cluster is not encrypted using Customer-Managed Encryption Key๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ Cluster is not encrypted using Customer-Managed Encryption Key๐ŸŸข
  • ID: /ce/ca/google/dataproc/cluster-encryption
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logicโ€‹

Similar Policiesโ€‹

Descriptionโ€‹

Open File

Descriptionโ€‹

When you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated with the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK).

Rationaleโ€‹

Cloud services offer the ability to protect data related to those services using encryption keys managed by the customer within Cloud KMS. These encryption keys are called customer-managed encryption keys (CMEK). When you protect data in Google Cloud services with CMEK, the CMEK key is within your control.

Impactโ€‹

Using Customer Managed Keys involves additional overhead in maintenance by administrators.

Auditโ€‹

From Google Cloud Consoleโ€‹
  1. Login to the GCP Console and navigate to the Dataproc Cluster page by visiting https://console.cloud.google.com/dataproc/clusters.

... see more

Remediationโ€‹

Open File

Remediationโ€‹

From Google Cloud Consoleโ€‹

  1. Login to the GCP Console and navigate to the Dataproc Cluster page by visiting https://console.cloud.google.com/dataproc/clusters.

  2. Select the project from the projects dropdown list.

  3. On the Dataproc Cluster page, click on the Create Cluster to create a new cluster with Customer managed encryption keys.

  4. On Create a cluster page, perform below steps:

    โ€ข Inside Set up cluster section perform below steps:

     o In the `Name` textbox, provide a name for your cluster.

     o From `Location` select the location in which you want to deploy a cluster.

     o Configure other configurations as per your requirements.

    โ€ข Inside Configure Nodes and Customize cluster section configure the settings as per your requirements.

    โ€ข Inside Manage security section, perform below steps:

     o From `Encryption`, select `Customer-managed key`.

     o Select a customer-managed key from dropdown list.

     o Ensure that the selected KMS Key have Cloud KMS CryptoKey Encrypter/Decrypter role assign to Dataproc Cluster service account ("serviceAccount:service-<project_number>@compute-system.iam.gserviceaccount.com").

... see more

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ CIS GCP v1.3.0 โ†’ ๐Ÿ’ผ 1.17 Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key - Level 2 (Automated)1no data
๐Ÿ’ผ CIS GCP v2.0.0 โ†’ ๐Ÿ’ผ 1.17 Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key - Level 2 (Automated)1no data
๐Ÿ’ผ CIS GCP v3.0.0 โ†’ ๐Ÿ’ผ 8.1 Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key - Level 2 (Automated)1no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ Secure Access57no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ IA-5 Authenticator Management (L)(M)(H)61432no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-28 Protection of Information at Rest (L)(M)(H)1724no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ IA-5 Authenticator Management (L)(M)(H)132no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ SC-28 Protection of Information at Rest (L)(M)(H)124no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ IA-5 Authenticator Management (L)(M)(H)432no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SC-28 Protection of Information at Rest (L)(M)(H)124no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 5.33 Protection of records1015no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.DS-1: Data-at-rest is protected1530no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization42no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-03: Users, services, and hardware are authenticated53no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected148no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ IA-5 Authenticator Management1816no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-28 Protection of Information at Rest31625no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 3.2 Do not store sensitive authentication data after authorization (even if encrypted).35no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 3.4 Render PAN unreadable anywhere it is stored.1712no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 3.4.1 If disk encryption is used, logical access must be managed separately and independently of native operating system authentication and access control mechanisms.712no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 3.7 Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties.5no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 8.2.1 Using strong cryptography, render all authentication credentials unreadable during transmission and storage on all system components.14no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 3.1.1 All security policies and operational procedures identified in Requirement 3 are documented, kept up to date, in use, and known to all affected parties.5no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 3.3.1 SAD is not retained after authorization, even if encrypted.35no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.13no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 3.3.3 Any storage of sensitive authentication data is limited to that which is needed for a legitimate issuing business need, is secured and encrypted using strong cryptography.5no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 3.5.1 PAN is rendered unreadable anywhere it is stored.312no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 3.5.1.2 If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable.5no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.12no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.14no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 3.1.1 All security policies and operational procedures identified in Requirement 3 are documented, kept up to date, in use, and known to all affected parties.5no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 3.3.1 SAD is not retained after authorization, even if encrypted.35no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.813no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 3.3.3 Any storage of sensitive authentication data is limited to that which is needed for a legitimate issuing business need, is secured and encrypted using strong cryptography.5no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 3.5.1 PAN is rendered unreadable anywhere it is stored.312no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 3.5.1.2 If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable.5no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.12no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.614no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC6.1-3 Restricts Logical Access122no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC6.1-10 Uses Encryption to Protect Data611no data