Code360 powered by Coding Ninjas X Naukri.com. Code360 powered by Coding Ninjas X Naukri.com
Table of contents
1.
Introduction
2.
Customer-managed Encryption Key
2.1.
Key Management in Cloud KMS
3.
Secure a Database with CMEK
3.1.
Creating a CMEK-enabled database
3.2.
Backup and Restore a Database
3.2.1.
To create a Backup:
3.2.2.
To Restore a Database:
4.
Access Control with IAM
4.1.
Permissions
4.1.1.
Instances, Instance configurations and Instance operations
4.1.2.
Databases and database operations.
4.1.3.
Backup and Backup Operations
4.2.
Roles
4.2.1.
Predefined Roles
4.2.2.
Basic Roles
5.
Applying IAM 
5.1.
Project-level permissions
5.2.
Instance-level permissions
5.3.
Database-level permissions
5.4.
Backup-level permissions
6.
Frequently Asked Questions
6.1.
What data is protected by Google default encryption at rest and not by the CMEK key?
6.2.
What are the three layers of encryption in Cloud Spanner?
6.3.
How to enable or disable a key version in Cloud KMS?
7.
Conclusion
Last Updated: Mar 27, 2024

Security Concept of Cloud Spanner

Author Yashesvinee V
0 upvote
Leveraging ChatGPT - GenAI as a Microsoft Data Expert
Speaker
Prerita Agarwal
Data Specialist @
23 Jul, 2024 @ 01:30 PM

Introduction

Cloud Spanner is a fully managed relational database with unlimited scale, strong consistency and high availability. Since databases contain sensitive data, it is essential to implement strong security measures against threats. By default, all data in Google Cloud is protected using Google-managed default encryption. Google Cloud manages this default encryption without any additional actions from the user. Users can use customer-managed encryption keys (CMEK) for specific compliance requirements for Cloud Spanner. Identity Access Management is another service that can control user and group access to Cloud Spanner resources. 

Customer-managed Encryption Key

CMEKs are used when users need more control over key operations than what is provided by Google-managed Encryption Keys. These keys can be managed and controlled in the Cloud Key Management Service. Here are some of its features.

  • Data access control enables administrators to rotate, manage access to, and disable or destroy the key used to protect data stored in Cloud Spanner.
     
  • Enabling audit logging for Cloud KMS API in a project logs all actions on the key, including those performed by Cloud Spanner in Cloud Logging. 
     
  • There are no changes to Cloud Spanner performance or the SLA (Service Level Agreement).
     

A CMEK-enabled database uses the Cloud KMS key to protect the data at rest. This may include data in a database stored on a disk or flash. Chinks of data are first encrypted at the storage level. These are further encrypted with Key Encryption Keys(KEK). During the rotation of a CMEK key, Cloud Spanner re-encrypts only the intermediate KEKs with the latest version of the CMEK key. After re-encryption, disabling or deleting the old versions of the CMEK will not disable access to the database. 

To enable CMEK for a database, the Cloud KMS key must be specified during the creation of a new database. Cloud Spanner will access the key on behalf of the user after the Cloud KMS CryptoKey Encrypter/Decrypter role is granted to a Google-managed Cloud Spanner service account.

Key Management in Cloud KMS

All key management operations are performed using Cloud KMS. Cloud Spanner can not detect any key changes until they are propagated via Cloud KMS. Upon the creation of a database, Cloud Spanner calls Cloud KMS about every 5 minutes to verify if the key is still valid. If the Cloud KMS key has been disabled or destroyed, an operation to make the database inaccessible begins. Any subsequent calls to the database will return a “FAILED_PRECONDITION error: KMS key required by the Spanner resource is not accessible”. If the Cloud Spanner detects that a previously disabled key has been re-enabled, Cloud KMS restores access to the Cloud Spanner database automatically.

In rare scenarios, when Cloud KMS is unavailable, Cloud Spanner can not retrieve the status of your key from Cloud KMS.

  • Suppose the Cloud Spanner database is protected by a key that was enabled when Cloud Spanner was first unable to communicate with Cloud KMS. In that case, Cloud Spanner continues to support full database operations for up to 1 hour.
     
  • After an hour, if Cloud Spanner is still unable to connect with Cloud KMS, it proceeds to make the database offline as a protective measure. The data in the database remains inaccessible until it reconnects with Cloud KMS and knows that the key is active.
     
  • Suppose the Cloud Spanner database is protected by a key that was disabled when Cloud Spanner was first unable to communicate with Cloud KMS. In that case, the database remains inaccessible until it can reconnect to Cloud KMS. 
Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job
Bootcamp

Secure a Database with CMEK

Cloud Spanner supports Symmetric Keys, Cloud HSM keys and Cloud External Key Manager keys. Let us see how to use CMEK for Cloud Spanner.

Creating a CMEK-enabled database

Step 1: Create a Key in Cloud KMS. It must be in the same location as the Cloud Spanner instance.

Step 2: Grant Cloud Spanner access to the key using Cloud Shell.

$ gcloud beta services identity create --service=spanner.googleapis.com \
    --project=spanner-project

Service identity created: service-xxx@gcp-sa-spanner.iam.gserviceaccount.com

$ gcloud kms keys add-iam-policy-binding kms-key \
    --location kms-key-location \
    --keyring kms-key-ring \
    --project=kms-project \
    --member serviceAccount:service-xxx@gcp-sa-spanner.iam.gserviceaccount.com \
    --role roles/cloudkms.cryptoKeyEncrypterDecrypter


Updated IAM policy for key [my-kms-key]

Step 3: Create the database and specify the Cloud KMS key.

  1. Click the instance name on the Cloud Spanner instances page to create the database.
     
  2. Click on Create Database and click on Show encryption options.
     
  3. Select  Use a customer-managed encryption key (CMEK).
     
  4. Select the key from the drop-down list.

Backup and Restore a Database

To create a Backup:

Step 1: Go to the Database Details page.

Step 2: Click on Create in the Backup/Restore tab.

Step 3: Enter a name and set the expiration date.

Step 4: Select Use a customer-managed encryption key (CMEK) and choose a key from the list. Click on Create.

To Restore a Database:

Step 1: Go to the Instance Details page.

Step 2: In the Backup/Restore tab, select a backup and click on Restore.

Step 3: Select Use a customer-managed encryption key (CMEK) and choose a key from the list to restore the database with CMEK.

Access Control with IAM

IAM allows users to grant permission to another user or group without having to modify each Cloud Spanner instance or database individually. Permissions allow users to perform specific operations on Cloud Spanner resources. A predefined role is a set of one or more permissions. Users can also get, set, and test IAM policies using the REST APIs on Cloud Spanner instances and backup resources.

Permissions

Instances, Instance configurations and Instance operations

Instance Permissions

Databases and database operations.

Database Permissions

Backup and Backup Operations

Backup Permissions

Roles

There are predefined roles and basic roles under Identity Access Management. There are options to create custom roles too. To create custom roles, it is necessary to identify the tasks that it needs to perform and their corresponding permissions.

Predefined Roles

  1. Cloud Spanner Admin has complete access to all Cloud Spanner resources. 
     
  2. Cloud Spanner Backup Admin can create, view, update, and delete backups.
     
  3. Cloud Spanner Backup Writer can create backups but cannot update or delete them.
     
  4. Cloud Spanner Database Admin can read and write to all Cloud Spanner instances, create or drop databases and grant access to databases in a project.
     
  5. Cloud Spanner Database Reader can read the database and view its schema. The role can also execute SQL queries on the database.
     
  6. Cloud Spanner Database User can perform read and write operations in the Cloud Spanner database. The role can also view or update the schema. 
     
  7. Cloud Spanner Restore Admin can restore databases from backups.
     
  8. Cloud Spanner Viewer can view all Cloud Spanner Instances and databases.
     

Basic Roles

  1. roles/viewer - This role can list and get the metadata of schemas and instances. It can also read and query the database using SQL.
     
  2. roles/editor -  Besides having the same privileges as roles/viewer, it can also create instances/databases and write data into a database.
     
  3. roles/owner - This role has the same privileges as roles/editor. It can also manage access to databases and instances.

Applying IAM 

IAM roles can be granted at Project-level, Instance-level, Database-level and Backup-level. Before attempting to apply permissions, checking if you have permission to apply roles to another account is essential.

Step 1: Go to the Project’s IAM page.

Step 2: Select Principals as the View by option.

Step 3: Find the account in the list. You have sufficient permissions if the account is listed as Owner or Editor in the Role column.

Project-level permissions

Adding permissions at the project level grants the IAM permissions to access all Cloud Spanner instances, databases, and backups in the project. After checking for sufficient permissions to grant permissions to principles, perform the following steps.

Step 1: Click on Edit.

Step 2: Click on Add Another Role on the Edit permissions page.

Step 3: Select a role from the list and click on Save.

Instance-level permissions

Step 1: Go to the Cloud Spanner Instances page.

Step 2: Select the instance’s checkbox.

Step 3: In the Info panel on the right,  go to the Permissions tab and search for the account.

Step 4: If the account is listed as OwnerEditor, or Cloud Spanner Admin, you have sufficient permissions.

Step 5: In the Add principals box, enter the email address for the account.

Step 6: Select the roles from the list and click on Add.

Database-level permissions

Step 1: Go to the Cloud Spanner Instances page.

Step 2: Select the instance’s checkbox.

Step 3: In the Info panel on the right,  go to the Permissions tab and search for the account.

Step 4: You have sufficient permissions if the account is listed as OwnerEditorCloud Spanner Admin or Cloud Spanner Database Admin.

Step 5: Go to the Instance Details page and click on the Show Info panel.

Step 6: Select the checkbox for the database in Overview.

Step 7: Click the Permissions tab in the Info panel.

Step 8: Enter the email address for the account you want to add in the Add principals box.

Step 9: Select the roles and click on Add.

Backup-level permissions

You have sufficient permissions if the account is listed as OwnerEditorCloud Spanner Admin or Cloud Spanner Database Admin.

Step 1: Go to the Instance Details page and click on the Backup/Restore tab.

Step 2: Click the Permissions tab in the Info panel.

Step 3: Enter the email address for the account you want to add in the Add principals box.

Step 4: Select the roles and click on Add.

Frequently Asked Questions

What data is protected by Google default encryption at rest and not by the CMEK key?

A subset of row keys that mark range boundaries and debugging data that includes core dumps and operational logs are secured by Google default Encryption. It also protects data in transit or memory and database metadata.

What are the three layers of encryption in Cloud Spanner?

Data at rest is broken into various chunks for storage, and each piece is encrypted using an individual encryption key known as the data encryption key (DEK). The DEKs are again encrypted with a key encryption key (KEK). Finally, each KEK is encrypted using a customer-managed encryption key.

How to enable or disable a key version in Cloud KMS?

Go to the Key Management page in the console and select the name of the key ring that contains the required key and its version. Choose the key whose key version you want to enable/disable. Select the key version(s) and click on Enable/ Disable in the header.

Conclusion

This blog discusses the concept of securing Cloud Spanner instances and databases using Custom-managed Encryption Keys and Identity Access Management. 

Check out our articles on Cloud Logging in GCPMonitoring Agent and Identity Access ManagementExplore our Library on Coding Ninjas Studio to gain knowledge on Data Structures and Algorithms, Machine Learning, Deep Learning, Cloud Computing and many more! Test your coding skills by solving our test series and participating in the contests hosted on Coding Ninjas Studio! 

Looking for questions from tech giants like Amazon, Microsoft, Uber, etc.? Look at the problems, interview experiences, and interview bundle for placement preparations.

Upvote our blogs if you find them insightful and engaging! Happy Coding!

Thank you
 

Live masterclass