Skip to main content

πŸ›‘οΈ Google BigQuery Table is not encrypted with Customer-Managed Encryption Key (CMEK)🟒

  • Contextual name: πŸ›‘οΈ Table is not encrypted with Customer-Managed Encryption Key (CMEK)🟒
  • ID: /ce/ca/google/big-query/table-cmek-encryption
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

BigQuery by default encrypts data at rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and does not require any additional input from the user. However, if you want greater control, customer-managed encryption keys (CMEK) can be used as an encryption key management solution for BigQuery datasets. If CMEK is used, the CMEK encrypts the data encryption keys instead of using Google-managed encryption keys.

Rationale​

BigQuery by default encrypts data at rest by employing Envelope Encryption using Google managed cryptographic keys. This is seamless and does not require any additional input from the user.

For greater control over encryption, customer-managed encryption keys (CMEK) can be used as an encryption key management solution for BigQuery tables. The CMEK is used to encrypt the data encryption keys instead of using Google-managed encryption keys. BigQuery stores the table and CMEK association and the encryption/decryption is done automatically.

... see more

Remediation​

Open File

Remediation​

From Google Cloud CLI​

Use the following command to copy the data. The source and destination need to be the same when copying to the original table.

bq cp \
    --destination_kms_key {{customer-managed-key}} source_dataset.source_table destination_dataset.destination_table

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 7.2 Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK) - Level 2 (Automated _ Roadmapped)1no data
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 7.2 Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) - Level 2 (Automated)1no data
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 7.2 Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) - Level 2 (Automated)1no data
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 7.2 Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) - Level 2 (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption61no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61437no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1736no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)137no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)136no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)437no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)136no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.33 Protection of records1015no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-1: Data-at-rest is protected1530no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization43no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated53no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected187no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό IA-5 Authenticator Management1821no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31737no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 3.2 Do not store sensitive authentication data after authorization (even if encrypted).35no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 3.4 Render PAN unreadable anywhere it is stored.1713no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 3.4.1 If disk encryption is used, logical access must be managed separately and independently of native operating system authentication and access control mechanisms.712no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 3.7 Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties.5no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.2.1 Using strong cryptography, render all authentication credentials unreadable during transmission and storage on all system components.14no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 3.1.1 All security policies and operational procedures identified in Requirement 3 are documented, kept up to date, in use, and known to all affected parties.5no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 3.3.1 SAD is not retained after authorization, even if encrypted.35no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.13no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 3.3.3 Any storage of sensitive authentication data is limited to that which is needed for a legitimate issuing business need, is secured and encrypted using strong cryptography.5no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 3.5.1 PAN is rendered unreadable anywhere it is stored.313no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 3.5.1.2 If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable.5no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.12no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.14no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 3.1.1 All security policies and operational procedures identified in Requirement 3 are documented, kept up to date, in use, and known to all affected parties.5no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 3.3.1 SAD is not retained after authorization, even if encrypted.35no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.813no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 3.3.3 Any storage of sensitive authentication data is limited to that which is needed for a legitimate issuing business need, is secured and encrypted using strong cryptography.5no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 3.5.1 PAN is rendered unreadable anywhere it is stored.313no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 3.5.1.2 If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable.5no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.12no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.614no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-3 Restricts Logical Access122no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-10 Uses Encryption to Protect Data611no data