Ensure that the use of Google-managed encryption keys for Cloud SQL database instances is disabled at the GCP organization level in order to enforce the use of Customer-Managed Keys (CMKs) and have full control over SQL database encryption/decryption process.
By default, the "Restrict Default Google-Managed Encryption for Cloud SQL Instances" constraint policy is disabled and Google-managed encryption is allowed for all Cloud SQL instances. Once this constraint policy is enabled, Google Cloud Platform requires all newly created, restarted, or updated Cloud SQL database instances to use Customer-Managed Keys (CMKs) for encryption at rest. Instead of letting Google to manage the encryption keys that protect your SQL databases, you can use your own encryption keys using Cloud KMS service.
Note: This organization policy is not retroactive, therefore any existing database instances using Google-managed encryption are not impacted unless they are updated or refreshed.
To determine if the use of Google-managed encryption keys for Cloud SQL instances is disabled within your GCP organizations, perform the following actions:
Remediation / Resolution
To enforce the use of Customer-Managed Keys (CMKs) for Cloud SQL instances encryption at the GCP organization level, enable the "Restrict Default Google-Managed Encryption for Cloud SQL Instances" policy by performing the following actions:
- Google Cloud Platform (GCP) Documentation
- Resource Manager
- Using constraints
- Organization policy constraints
- Creating and managing organization policies
- GCP Command Line Interface (CLI) Documentation
- gcloud organizations list
- gcloud alpha resource-manager org-policies describe
- gcloud alpha resource-manager org-policies enable-enforce
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Restrict Default Google-Managed Encryption for Cloud SQL Instances
Risk level: Medium