Control: 7.2 Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)
Description
BigQuery by default encrypts the data as rest by employing Envelope Encryption
using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user.
However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.
BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. This is seamless and does not require any additional input from the user.
Applying the Default Customer-managed keys on BigQuery data sets ensures that all the new tables created in the future will be encrypted using CMEK but existing tables need to be updated to use CMEK individually.
Remediation
Currently, there is no way to update the encryption of existing data in the table. The data needs to be copied to either an original table or another table while specifying the customer managed encryption key (CMEK).
From Command Line
Use the following command to copy the data. The source and the destination needs to be same in case copying to the original table
bq cp --destination_kms_key <customer_managed_key> source_dataset.source_table destination_dataset.destination_table
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v130_7_2
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v130_7_2 --share
SQL
This control uses a named query:
bigquery_table_encrypted_with_cmk