Run individual configuration, compliance and security controls or full compliance benchmarks for CIS across all of your GCP projects using Powerpipe and Steampipe.
Is your feature request related to a problem? Please describe.
Add GCP > CIS v1.3 > 1.17 Ensure that Dataproc Cluster is encrypted using Customer- Managed Encryption Key
Description
When you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated with the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK).
Cloud services offer the ability to protect data related to those services using encryption keys managed by the customer within Cloud KMS. These encryption keys are called customer-managed encryption keys (CMEK). When you protect data in Google Cloud services with CMEK, the CMEK key is within your control.
Ensure that the selected KMS Key have Cloud KMS CryptoKey Encrypter/Decrypter role assign to Dataproc Cluster service account("serviceAccount:service-@compute-system.iam.gserviceaccount.com").
Click on Create to create a cluster.
Once the cluster is created migrate all your workloads from the older cluster to the new cluster and delete the old cluster by performing the below steps:
On the Clusters page, select the old cluster and click on Delete cluster.
On the Confirm deletion window, click on Confirm to delete the cluster.
Repeat step above for other Dataproc clusters available in the selected project.
Change the project from the project dropdown list and repeat the remediation procedure for other Dataproc clusters available in other projects.
Is your feature request related to a problem? Please describe. Add GCP > CIS v1.3 > 1.17 Ensure that Dataproc Cluster is encrypted using Customer- Managed Encryption Key
Description
When you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated with the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK).
Cloud services offer the ability to protect data related to those services using encryption keys managed by the customer within Cloud KMS. These encryption keys are called customer-managed encryption keys (CMEK). When you protect data in Google Cloud services with CMEK, the CMEK key is within your control.
Remediation
Add essential contacts for the GCP Organization.
From Console
On Create a cluster page, perform below steps: