fest(CG-1294): add GCP CIS 1.30 1.17 rule'

james-zhou-inspire11 · james-zhou-inspire11 · commit 2e1df8f39d4a · 2022-12-10T13:23:38.000-06:00
diff --git a/src/gcp/cis-1.3.0/README.md b/src/gcp/cis-1.3.0/README.md
@@ -71,6 +71,7 @@ Policy Pack based on the GCP Foundations 1.3.0 benchmark provided by the [Center
 | GCP CIS 1.14   | Ensure API keys are restricted to only APIs that application needs access                                                                                           |
 | GCP CIS 1.15   | Ensure API keys are rotated every 90 days                                                                                                                           |
 | GCP CIS 1.16   | Ensure Essential Contacts is Configured for Organization                                                                                                            |
+| GCP CIS 1.17   | Ensure that Dataproc Cluster is encrypted using CustomerManaged Encryption Key                                                                                      |
 | GCP CIS 2.1    | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project                                                             |
 | GCP CIS 2.2    | Ensure that sinks are configured for all log entries                                                                                                                |
 | GCP CIS 2.3    | Ensure that retention policies on log buckets are configured using Bucket Lock                                                                                      |
diff --git a/src/gcp/cis-1.3.0/rules/gcp-cis-1.3.0-1.17.ts b/src/gcp/cis-1.3.0/rules/gcp-cis-1.3.0-1.17.ts
@@ -0,0 +1,101 @@
+/* eslint-disable @typescript-eslint/explicit-module-boundary-types */
+/* eslint-disable @typescript-eslint/no-explicit-any */
+
+export default {
+  id: 'gcp-cis-1.3.0-1.17',
+  title: 'GCP CIS 1.16 Ensure Essential Contacts is Configured for Organization',
+  description:
+    'When you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated with the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK).',
+  audit: `**From Console:**
+  
+  1. Login to the GCP Console and navigate to the Dataproc Cluster page by visiting:
+
+          https://console.cloud.google.com/dataproc/clusters.
+
+  2. Select the project from the project dropdown list.
+  3. On the Dataproc Clusters page, select the cluster and click on the Name attribute value that you want to examine.
+  4. On the details page, select the Configurations tab.
+  5. On the Configurations tab, check the Encryption type configuration attribute value. If the value is set to Google-managed key, then Dataproc Cluster is not encrypted with Customer managed encryption keys.
+  
+  Repeat step no. 3 - 5 for other Dataproc Clusters available in the selected project.
+  
+  6. Change the project from the project dropdown list and repeat the audit procedure for other projects.
+
+  **From Command Line:**
+
+  1. Run clusters list command to list all the Dataproc Clusters available in the region:
+
+          gcloud dataproc clusters list --region='us-central1'
+
+  2. Run clusters describe command to get the key details of the selected cluster:
+
+          gcloud dataproc clusters describe <cluster_name> --region=us-central1 --flatten=config.encryptionConfig.gcePdKmsKeyName
+          
+  3. If the above command output return "null", then the selected cluster is not encrypted with Customer managed encryption keys.
+  4. Repeat step no. 2 and 3 for other Dataproc Clusters available in the selected region. Change the region by updating --region and repeat step no. 2 for other clusters available in the project. Change the project by running the below command and repeat the audit procedure for other Dataproc clusters available in other projects:
+
+          gcloud config set project <project_ID>"
+  `,
+  rationale:
+    'Many Google Cloud services, such as Cloud Billing, send out notifications to share important information with Google Cloud users. By default, these notifications are sent to members with certain Identity and Access Management (IAM) roles. With Essential Contacts, you can customize who receives notifications by providing your own list of contacts.',
+  remediation: `**From Console:**
+  1. Login to the GCP Console and navigate to the Dataproc Cluster page by visiting
+      
+          https://console.cloud.google.com/dataproc/clusters.
+
+  2. Select the project from the projects dropdown list.
+  3. On the *Dataproc Cluster* page, click on the *Create Cluster* to create a new cluster with Customer managed encryption keys.
+  4. On *Create a cluster* page, perform below steps:
+    • Inside *Set up cluster* section perform below steps:
+      -In the *Name* textbox, provide a name for your cluster.
+        o From *Location* select the location in which you want to deploy a cluster.
+        o Configure other configurations as per your requirements.
+    • Inside *Configure Nodes* and *Customize cluster* section configure the settings as per your requirements.
+    • Inside *Manage security* section, perform below steps:
+      o From *Encryption*, select *Customer-managed key*.
+      o Select a customer-managed key from dropdown list.
+      o Ensure that the selected KMS Key have Cloud KMS CryptoKey Encrypter/Decrypter role assign to Dataproc Cluster service account ("serviceAccount:service-<project_number>@computesystem.iam.gserviceaccount.com").
+      o Click on *Create* to create a cluster.
+    • Once the cluster is created migrate all your workloads from the older cluster to the new cluster and delete the old cluster by performing the below steps:
+      o On the *Clusters* page, select the old cluster and click on *Delete cluster*.
+      o On the *Confirm deletion* window, click on *Confirm* to delete the cluster.
+      o Repeat step above for other Dataproc clusters available in the selected project.
+    • Change the project from the project dropdown list and repeat the remediation procedure for other Dataproc clusters available in other projects.
+
+
+  **From Command Line:**
+
+  Before creating cluster ensure that the selected KMS Key have Cloud KMS CryptoKey Encrypter/Decrypter role assign to Dataproc Cluster service account ("serviceAccount:service-<project_number>@compute-system.iam.gserviceaccount.com").
+  Run clusters create command to create new cluster with customer-managed key:
+
+        gcloud dataproc clusters create <cluster_name> --region=us-central1 --gce-pdkms-key=<key_resource_name>
+
+  The above command will create a new cluster in the selected region.
+  Once the cluster is created migrate all your workloads from the older cluster to the new cluster and Run clusters delete command to delete cluster:
+
+        gcloud dataproc clusters delete <cluster_name> --region=us-central1
+
+  Repeat step no. 1 to create a new Dataproc cluster.
+  Change the project by running the below command and repeat the remediation procedure for other projects:
+
+        gcloud config set project <project_ID>"
+  `,
+  references: [
+    'https://cloud.google.com/docs/security/encryption/default-encryption',
+  ],
+  gql: `{
+    querygcpDataprocCluster {
+      id
+      __typename
+      config{
+        encryptionConfigGcePdKmsKeyName
+      }
+    }
+  }`,
+  resource: 'querygcpDataprocCluster[*]',
+  severity: 'unknown',
+  conditions: {
+    path: '@.config.encryptionConfigGcePdKmsKeyName',
+    isEmpty: false,
+  }
+}
diff --git a/src/gcp/cis-1.3.0/rules/index.ts b/src/gcp/cis-1.3.0/rules/index.ts
@@ -14,6 +14,7 @@ import Gcp_CIS_130_113 from './gcp-cis-1.3.0-1.13'
 import Gcp_CIS_130_114 from './gcp-cis-1.3.0-1.14'
 import Gcp_CIS_130_115 from './gcp-cis-1.3.0-1.15'
 import Gcp_CIS_130_116 from './gcp-cis-1.3.0-1.16'
+import Gcp_CIS_130_117 from './gcp-cis-1.3.0-1.17'
 import Gcp_CIS_130_21 from './gcp-cis-1.3.0-2.1'
 import Gcp_CIS_130_22 from './gcp-cis-1.3.0-2.2'
 import Gcp_CIS_130_23 from './gcp-cis-1.3.0-2.3'
@@ -91,6 +92,7 @@ export default [
   Gcp_CIS_130_114,
   Gcp_CIS_130_115,
   Gcp_CIS_130_116,
+  Gcp_CIS_130_117,
   Gcp_CIS_130_21,
   Gcp_CIS_130_22,
   Gcp_CIS_130_23,
diff --git a/src/gcp/cis-1.3.0/tests/gcp-cis-1.3.0-1.x.test.ts b/src/gcp/cis-1.3.0/tests/gcp-cis-1.3.0-1.x.test.ts
@@ -16,6 +16,7 @@ import Gcp_CIS_130_112 from '../rules/gcp-cis-1.3.0-1.12'
 import Gcp_CIS_130_113 from '../rules/gcp-cis-1.3.0-1.13'
 import Gcp_CIS_130_115 from '../rules/gcp-cis-1.3.0-1.15'
 import Gcp_CIS_130_116 from '../rules/gcp-cis-1.3.0-1.16'
+import Gcp_CIS_130_117 from '../rules/gcp-cis-1.3.0-1.17'
 import { initRuleEngine } from '../../../utils/test'
 
 export interface MetricDescriptor {
@@ -110,6 +111,13 @@ export interface QuerygcpEssentialContact {
   notificationCategorySubscriptions: string[]
   email: string
 }
+export interface DataprocClusterConfig {
+  encryptionConfigGcePdKmsKeyName?: string
+}
+export interface QuerygcpDataprocCluster {
+  id: string
+  config: DataprocClusterConfig
+}
 export interface CIS1xQueryResponse {
   querygcpOrganization?: QuerygcpOrganization[]
   querygcpProject?: QuerygcpProject[]
@@ -118,6 +126,7 @@ export interface CIS1xQueryResponse {
   querygcpKmsKeyRing?: QuerygcpKmsKeyRing[]
   querygcpIamPolicy?: QuerygcpIamPolicy[]
   querygcpEssentialContact?: QuerygcpEssentialContact[]
+  querygcpDataprocCluster?: QuerygcpDataprocCluster[]
 }
 
 describe('CIS Google Cloud Platform Foundations: 1.3.0', () => {
@@ -957,4 +966,50 @@ describe('CIS Google Cloud Platform Foundations: 1.3.0', () => {
       await testRule(data, Result.PASS)
     })
   })
+
+  describe('GCP CIS 1.17 Ensure that Dataproc Cluster is encrypted using Customer Managed Encryption Key', () => {
+    const getRuleFixture = (): CIS1xQueryResponse => {
+      return {
+        querygcpDataprocCluster: [
+          {
+            id: cuid(),
+            config: {},
+          },
+        ],
+      }
+    }
+
+    const testRule = async (
+      data: CIS1xQueryResponse,
+      expectedResult: Result
+    ): Promise<void> => {
+      // Act
+      const [processedRule] = await rulesEngine.processRule(
+        Gcp_CIS_130_117 as Rule,
+        { ...data }
+      )
+
+      // Asserts
+      expect(processedRule.result).toBe(expectedResult)
+    }
+
+    test('Security Issue when Customer Managed Encryption Key config is missing ', async () => {
+      const data: CIS1xQueryResponse = getRuleFixture()
+      await testRule(data, Result.FAIL)
+    })
+
+    test('Security Issue when Customer Managed Encryption Key config is empty ', async () => {
+      const data: CIS1xQueryResponse = getRuleFixture()
+      const dataprocCluster = data.querygcpDataprocCluster as QuerygcpDataprocCluster[]
+      dataprocCluster[0].config.encryptionConfigGcePdKmsKeyName = ''
+      await testRule(data, Result.FAIL)
+    })
+
+    test('No Security Issue when Customer Managed Encryption Key is configured', async () => {
+      const data: CIS1xQueryResponse = getRuleFixture()
+      const dataprocCluster = data.querygcpDataprocCluster as QuerygcpDataprocCluster[]
+      dataprocCluster[0].config.encryptionConfigGcePdKmsKeyName = 'MyKey'
+      await testRule(data, Result.PASS)
+    })
+  })
 })
