GCP-BigQuery-dataset-is-encrypted-without-customer-managed-key

Severity: High

Description: This control ensures that a default Customer-managed encryption key is specified for BigQuery Data Set. BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.

Remediation Steps:

Perform following to set CMK for BigQuery dataset from gcloud command line tool:

1. Setting a dataset default key

   bq update \ --default_kms_key projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY \ --dataset DATASET_ID

Important:

The default CMEK for existing data sets can be updated by specifying the default key in the EncryptionConfiguration.kmsKeyName field when calling the datasets.insert or datasets.patch methods

 If you remove BigQuery's access to a key, this change will not take place instantly, but should happen within an hour while the IAM permission change propagates. If you are running a query at the time, the query still completes, but the results might not be viewable.

Reference:

• CIS Google Cloud Platform Foundation Benchmark v1.2.0 - 05-01-2021: Recommendation #7.3

• Customer-managed Cloud KMS keys  |  BigQuery  |  Google Cloud