📝 Google Dataproc Cluster is not encrypted using Customer-Managed Encryption Key 🟢

• Contextual name: 📝 Cluster is not encrypted using Customer-Managed Encryption Key 🟢
• ID: /ce/ca/google/dataproc/cluster-encryption
• Located in: 📁 Google Dataproc

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Cloud Conformity
  • Enable Dataproc Cluster Encryption with Customer-Managed Keys

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Google Dataproc Cluster
  • 🔌 Google Dataproc Cluster - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

When you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated with the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK).

Rationale

Cloud services offer the ability to protect data related to those services using encryption keys managed by the customer within Cloud KMS. These encryption keys are called customer-managed encryption keys (CMEK). When you protect data in Google Cloud services with CMEK, the CMEK key is within your control.

Impact

Using Customer Managed Keys involves additional overhead in maintenance by administrators.

Audit

From Google Cloud Console

1. Login to the GCP Console and navigate to the Dataproc Cluster page by visiting https://console.cloud.google.com/dataproc/clusters.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Login to the GCP Console and navigate to the Dataproc Cluster page by visiting https://console.cloud.google.com/dataproc/clusters.

2. Select the project from the projects dropdown list.

3. On the Dataproc Cluster page, click on the Create Cluster to create a new cluster with Customer managed encryption keys.

4. On Create a cluster page, perform below steps:

   • Inside Set up cluster section perform below steps:

    o In the `Name` textbox, provide a name for your cluster.
   
    o From `Location` select the location in which you want to deploy a cluster.
   
    o Configure other configurations as per your requirements.

   • Inside Configure Nodes and Customize cluster section configure the settings as per your requirements.

   • Inside Manage security section, perform below steps:

    o From `Encryption`, select `Customer-managed key`.
   
    o Select a customer-managed key from dropdown list.
   
    o Ensure that the selected KMS Key have Cloud KMS CryptoKey Encrypter/Decrypter role assign to Dataproc Cluster service account ("serviceAccount:service-<project_number>@compute-system.iam.gserviceaccount.com").

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS GCP v3.0.0 → 💼 8.1 Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key - Level 2 (Automated)			1
💼 Cloudaware Framework → 💼 Secure Access			43