GCP-BigQuery-table-encryption-without-customer-managed-key

Severity: High

Description: This control ensures that BigQuery Table is encrypted with Customer-managed encryption key. BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.

Remediation Steps:

Perform following to set CMK for BigQuery dataset :

Sign in to GCP Console https://console.cloud.google.com.
Open the BigQuery page in the Cloud Console.
Click Compose new query.
Type your DDL statement into the New Query text area. For the kms_key_name value, specify the resource ID of the key that you want to use to protect the table.
#standardSQL ALTER TABLE DATASET_ID.mytable SET OPTIONS ( kms_key_name="projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY" )
Click Run.

Important:

When selecting the customer-managed key for BigQuery data set, GCP allows you to select either a Customer Managed Encryption Key (CMEK) or a Customer-Supplied Encryption Keys (CSEK), which let you specify the contents of the encryption key. Both will result in compliance.

Google does not store your keys on its servers and cannot access your protected data unless you provide the key. This also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.

Reference:

CIS Google Cloud Platform Foundation Benchmark v1.2.0 - 05-01-2021: Recommendation #7.2
https://cloud.google.com/bigquery/docs/customer-managed-encryption