All Posts

Making encryption easy for developers

From complex infrastructure as code to streamlined, encrypted-by-default resources
AUTHOR
Chris Reuter
PUBLISH DATE
December 4, 2024

It feels like every week there is news of a new breach or incident that costs companies (and consumers) millions. I was personally impacted by the DC Health Link breach, which was caused by an unencrypted S3 bucket without any kind of access restriction. Now I need to keep my credit perpetually frozen, only unlocking it for certain times when I need credit.

Encrypting cloud resources is a priority for security teams, but it oftentimes goes overlooked. Encryption should be the default for many use cases, and as easy as clicking a button.

The Basics of Encryption

Encryption is the backbone of secure cloud operations. It protects sensitive data from unauthorized access, ensuring that even if data is intercepted or leaked, it remains unreadable without the proper decryption keys.

It is a regrettable fact that sensitive data is likely to make its way into the wrong hands: encryption is your backstop for making sure it doesn’t impact you when it does.

In this blog we'll focus on Google Cloud - the fundamental building blocks of encryption on GCP are cloud keys.

What Are Cloud Keys?

Cloud keys, managed on Google Cloud with their Key Management Service (KMS), are cryptographic keys used to encrypt and decrypt data. These keys play a pivotal role in protecting your resources and workloads. They can be used to secure databases, storage buckets, or any sensitive data, whether at rest or in transit.

In Google Cloud, you can create keys within key rings, which are logical groupings of keys that allow for easier management and access control. You can also set policies to automate key rotation, ensuring that keys are regularly updated to reduce the risk of compromise.

Attaching Keys to Cloud Resources

Once your encryption keys are created, the next step is to attach them to the cloud resources you want to secure. For example:

  • Encrypt a storage bucket by associating it with a KMS key.
  • Secure your database with encryption by specifying a KMS key during creation.

This process ensures that all data stored in these resources is automatically encrypted using the attached key.

Example: Encrypting a GCP Storage Bucket

Here’s how you can encrypt a Google Cloud Storage bucket using a KMS key in Terraform:

resource "google_storage_bucket" "secure_bucket" {
  name     = "secure-bucket"
  location = "US"

  encryption {
    default_kms_key_name = google_kms_crypto_key.my_key.id
  }
}

resource "google_kms_key_ring" "my_key_ring" {
  name     = "my-key-ring"
  location = "us-central1"
}

resource "google_kms_crypto_key" "my_key" {
  name     = "my-key"
  key_ring = google_kms_key_ring.my_key_ring.id
  purpose  = "ENCRYPT_DECRYPT"
}

In this snippet we create a KMS key, associate it with a key ring, and attach it to a storage bucket. With these steps, all data stored in the bucket is encrypted using the specified key.

Blueprints and Guardrails

At Resourcely, we take encryption a step further by making it easier to implement and enforce secure configurations with Blueprints and Guardrails.

What Is a Blueprint and How Can It Help?

A Blueprint is a reusable configuration template built on top of tools like Terraform. Blueprints simplify the process of setting up resources by standardizing configurations and reducing the need to write infrastructure code from scratch. They make it easy to deploy resources while following best practices for security and compliance.

Every Blueprint automatically becomes a form that developers can interact with: featuring picklists, defaults, descriptions, and other tools that make the configuration experience a simplified, guided one.

Turning Terraform into Blueprints

Let’s turn the Terraform example above into a Blueprint that anyone on your team can use to securely create storage buckets with encryption:

---
constants:
  __name: "{{ name }}_{{ __guid }}"
variables:
  name:
    desc: |
      The name of the storage bucket.
    required: true
    suggest: "secure-bucket"
  location:
    desc: |
      The GCP region where the bucket will be created.
    required: true
    suggest: "US"
  kms_key_name:
    desc: |
      The name of the KMS key to use for encryption.
    required: true
    suggest: "my-key"
    links_to: resource.google_kms_crypto_key.name
---

resource "google_storage_bucket" "{{ __name }}" {
  name     = "{{ name }}"
  location = "{{ location }}"

  encryption {
    default_kms_key_name = google_kms_crypto_key.{{ kms_key_name }}.id
  }
}

The above Blueprint creates a form that looks like the below:

With this Blueprint, you can consistently create encrypted storage buckets across your organization without needing to copy & paste Terraform configuration that a developer may not be familiar with.

What Is a Guardrail and How Can It Help?

A Guardrail is a policy written in Really, our plain-English policy language, that enforces compliance by constraining configuration inputs. Guardrails ensure that developers can’t inadvertently create configurations that don’tmeet your expectations…such as using unencrypted resources.

Example: Guardrail for a Crypto Key

Here’s a Guardrail that enforces a maximum key rotation period of 30 days for GCP crypto keys:

GUARDRAIL "Limit crypto key rotation period to 30 days or less"
    WHEN google_kms_crypto_key
        REQUIRE rotation_period MATCHES REGEX "^(30|[1-2]?[0-9])d$"

This Guardrail uses a Regular Expression that ensures that all KMS keys in your organization are rotated within 30 days, aligning with best practices for key management and reducing the risk of long-term key exposure.

With Blueprints and Guardrails, encryption becomes not only more accessible but also enforceable across your cloud environment. Resourcely helps your teams move faster while ensuring that security isn’t compromised—because securing your data shouldn’t feel like an uphill battle.

How Resourcely fits in to your stack

Resourcely is a configuration platform: with it, platform teams can define golden patterns for developers to follow. These templates generate infrastructure as code that is submitted as a PR to your existing version control, orchestrated by your existing CI, and executed on your runner.

These golden patterns combine with policies that can be defined by any team: platform, security, SRE, DevOps, FinOps, etc. These policies give feedback and guidance at configuration time, while also governing your infrastructure choices as part of your pipeline.

With Resourcely, you can speed developer productivity while getting off the configuration support treadmill (constant ops hours instead of spending time on what matters).

Follow along with the tutorial

Head on over to our full tutorial on making encryption easier for your developers to implement.

We’ll walk through how you can get started with encrypting common GCP cloud resources at rest. Then we’ll complete a complex encryption use case: encrypting data in transit via https. We’ll do all of this with Resourcely: the configuration platform for helping developers ship faster while meeting your teams’ expectations.

As always, you can get started in just a few minutes with these Blueprints and Guardrails - for free!

👉 Sign up for your free account here
👉 Get the Blueprints and Guardrails from our use cases repo
👉 Follow the tutorial

Ready to get started?

Set up a time to talk to our team to get started with Resourcely.

Get in touch

More posts

View all
July 17, 2024

Resourcely's General Availability

Summer 2024 Product Launch
November 22, 2024

The DevOps Tax on Central Teams: Livestream

Diving in to how Netflix tackled DevOps challenges
July 24, 2024

A deep dive into Blueprints

Building a paved road to production for AWS EC2

Talk to a Human

See Resourcely in action and learn how it can help you secure and manage your cloud infrastructure today!