v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/gcp_compliance
Overview
12Dashboards
536Controls
201Queries
2Variables
GitHub

Control: 7.3 Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets

Description

BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user.

However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.

BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. This is seamless and does not require any additional input from the user.

For greater control over the encryption, customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. Setting a Default Customer-managed encryption key (CMEK) for a data set ensure any tables created in future will use the specified CMEK if none other is provided.

Remediation

The default CMEK for existing data sets can be updated by specifying the default key in the EncryptionConfiguration.kmsKeyName field when calling the datasets.insert or datasets.patch methods

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v120_7_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v120_7_3 --share

SQL

This control uses a named query:

bigquery_dataset_encrypted_with_cmk

Tags

benchmark = cis
category = Compliance
cis_item_id = 7.3
cis_level = 2
cis_section_id = 7
cis_type = automated
cis_version = v1.2.0
plugin = gcp
service = GCP/BigQuery