📝 Google BigQuery Table is not encrypted with Customer-Managed Encryption Key (CMEK) 🟢

• Contextual name: 📝 Table is not encrypted with Customer-Managed Encryption Key (CMEK) 🟢
• ID: /ce/ca/google/big-query/table-cmek-encryption
• Located in: 📁 Google BigQuery

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Cloud Conformity
  • Enable BigQuery Encryption with Customer-Managed Keys

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Google BigQuery Table
  • 🔌 Google BigQuery Table - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.

Rationale

BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. This is seamless and does not require any additional input from the user.

For greater control over the encryption, customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery tables. The CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys. BigQuery stores the table and CMEK association and the encryption/decryption is done automatically.

... see more

Remediation

Open File

Remediation

From Google Cloud CLI

Use the following command to copy the data. The source and the destination needs to be same in case copying to the original table.

        bq cp --destination_kms_key <customer_managed_key> source_dataset.source_table destination_dataset.destination_table

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS GCP v3.0.0 → 💼 7.2 Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) - Level 2 (Automated)			1
💼 Cloudaware Framework → 💼 Data Encryption			31