GCP-Storage-bucket-encryption-using-CMEK

Severity: High

Description: This control ensures that GCP Storage bucket is encrypted using customer-managed encryption key. It is recommended to use Customer-managed key to encrypt the data in your storage bucket and ensure full control over your data. By default, Cloud Storage encrypts all object data using Google-managed encryption keys and the AES256 encryption algorithm.

Remediation Steps:

Perform following to enable flow log for subnet :

1. Sign in to GCP Console https://console.cloud.google.com.

2. Goto the Cloud Storage browser.

3. In the list of buckets, click on the name of the desired bucket.

4. Select a storage bucket and click on configuration tab.

5. Under Configuration , Edit Encryption type

6. Click on Customer-managed key and Select a customer-managed key to be used

7. Click on Save.

Important:

Reference:

• https://cloud.google.com/storage/docs/encryption/customer-managed-keys