Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)

BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.

Risk Level: High
Cloud Entity: BigQuery
CloudGuard Rule ID: D9.GCP.CRY.14
Covered by Spectral: No
Category: Data analytics


BigQueryTable where view.query isEmpty() should not have encryptionConfiguration.kmsKeyName isEmpty()


From Portal
Currently, there is no way to update the encryption of existing data in the table. The data needs to be copied to either an original table or another table while specifying the customer managed encryption key (CMEK).To copy a table to a new table with CMK use below steps.

  1. Go to the Bigquery page https://console.cloud.google.com/bigquery?_ga=2.123965320.360956319.1649480884-1177260679.1645708143
  2. In the Explorer panel, expand your project and dataset, then select the table.
  3. In the details panel, click Copy table.
  4. In the Copy table dialog, under Destination : choose Project name, Dataset name, and enter Table name.
  5. Click Copy to start the copy job.
    Note: Check the https://cloud.google.com/bigquery/docs/managing-tables#limitations_on_copying_tables

From Command Line

  1. Use the following command to copy the data. The source and the destination needs to be same in case copying to the original table.
bq cp --destination_kms_key CUSTOMER_MANAGED_KEY source_dataset.source_table destination_dataset.destination_table

Note: When there is View query implemented, then encryption using CMEK is not required.


  1. https://workbench.cisecurity.org/sections/507176/recommendations/865102
  2. https://cloud.google.com/bigquery/docs/customer-managed-encryption
  3. https://cloud.google.com/bigquery/docs/managing-tables#bq_2


BigQuery is Google's serverless, highly scalable, enterprise data warehouse designed to make all your data analysts productive at an unmatched price-performance. Because there is no infrastructure to manage, you can focus on analyzing data to find meaningful insights using familiar SQL without the need for a database administrator.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5
  • GCP PCI-DSS 4.0