Ensure that your Google Cloud SQL database instances are encrypted with Customer-Managed Keys (CMKs) in order to have a fine control over your data encryption and decryption process. You can create and manage your own Customer-Managed Keys (CMKs) with Cloud Key Management Service (Cloud KMS). Cloud KMS provides secure and efficient encryption key management, controlled key rotation, and revocation mechanisms.
By default, the Google Cloud SQL service encrypts all data at rest using Google-managed encryption keys. The cloud service manages this type of encryption without any additional actions from you and your application. However, if you want to fully control and manage database instance encryption yourself, you can use your own Customer-Managed Keys (CMKs). Cloud KMS Customer-Managed Keys can be implemented to encrypt production, sensitive, or mission-critical data, and are often used in the enterprise world, where compliance and security controls are much more stringent.
To determine if your Cloud SQL database instances are encrypted with Customer-Managed Keys (CMKs), perform the following operations:
Remediation / Resolution
To enable encryption with Cloud KMS Customer-Managed Keys (CMKs) for your Cloud SQL database instances, you have to re-create the existing SQL instances with the appropriate encryption configuration by performing the following operations:Note: As example, this conformity rule demonstrates how to re-create a Google Cloud MySQL database instance and configure it to encrypt data at rest using Customer-Managed Keys (CMKs).
- Google Cloud Platform (GCP) Documentation
- Cloud Key Management
- Creating symmetric keys
- Cloud KMS resources
- ENCRYPTION AT REST
- Using customer-managed encryption keys (CMEK)
- Exporting data from Cloud SQL
- Importing data into Cloud SQL
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Enable Cloud SQL Instance Encryption with Customer-Managed Keys
Risk level: High