Guides
  1. google policies
  2. BigQuery

Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets

Risk Level: High
Cloud Entity: BigQuery
CloudGuard Rule ID: D9.GCP.CRY.12
Covered by Spectral: Yes
Category: Data analytics

GSL LOGIC

BigQuery should not have defaultEncryptionConfiguration.kmsKeyName isEmpty()

REMEDIATION

From Command Line

  1. The default CMEK for existing data sets can be updated by specifying the default key in the EncryptionConfiguration.kmsKeyName field when calling the datasets.insert or datasets.patch methods
  2. To create a new Dataset with default-CMK use;
bq mk --default_kms_key projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY --dataset DATASET_ID
  1. To update an existing dataset, use:
bq update --default_kms_key projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY --dataset DATASET_ID

References

  1. https://workbench.cisecurity.org/sections/507176/recommendations/865103
  2. https://cloud.google.com/bigquery/docs/customer-managed-encryption#dataset_default_key

BigQuery

BigQuery is Google's serverless, highly scalable, enterprise data warehouse designed to make all your data analysts productive at an unmatched price-performance. Because there is no infrastructure to manage, you can focus on analyzing data to find meaningful insights using familiar SQL without the need for a database administrator.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5

Updated 7 months ago