Ensure Default CMEK Is Specified For BigQuery Data Sets
More Info:
BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. This is seamless and does not require any additional input from the user. For greater control over the encryption, customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. Setting a Default Customer-managed encryption key (CMEK) for a data set ensure any tables created in future will use the specified CMEK if none other is provided.Risk Level
MediumAddress
SecurityCompliance Standards
CISGCP, CBP, SOC2, NISTCSF, PCIDSS, FedRAMPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Ensure Default CMEK Is Specified For BigQuery Data Sets” in GCP using GCP Console, you can follow the below steps:
- Open the BigQuery console in the GCP Console.
- In the navigation pane, select the dataset for which you want to set the default CMEK.
- Click on the “Edit” button (pencil icon) next to the dataset name.
- In the “Encryption” section, click on the “Change” button next to the “Default encryption” option.
- In the “Default encryption” dialog box, select the checkbox “Use a customer-managed key (CMEK)”.
- Select the appropriate key from the dropdown list or create a new key.
- Click on the “Save” button to save the changes.
- Repeat the above steps for all the datasets that need to be remediated.
Using CLI
Using CLI
To remediate the misconfiguration “Ensure Default CMEK Is Specified For BigQuery Data Sets” for GCP using GCP CLI, follow the below steps:Replace This will display the details of the dataset, including the default CMEK that has been set.
- Open the Cloud Shell in the GCP console.
- Run the following command to list all the BigQuery datasets in the project:
- Identify the dataset for which you want to set the default CMEK.
- Run the following command to set the default CMEK for the identified dataset:
<KMS_KEY_ID> with the ID of the KMS key that you want to use as the default CMEK for the dataset and <DATASET_NAME> with the name of the dataset that you identified in step 3.- Verify that the default CMEK has been set for the dataset by running the following command:
- Repeat steps 3 to 5 for all the BigQuery datasets in the project to ensure that the default CMEK is specified for all the datasets.
Using Python
Using Python
To remediate the misconfiguration “Ensure Default CMEK Is Specified For BigQuery Data Sets” in GCP using Python, you can follow the below steps:By following these steps, you can remediate the misconfiguration “Ensure Default CMEK Is Specified For BigQuery Data Sets” in GCP using Python.
- First, you need to create a Key Management Service (KMS) key ring and key in the same region as your BigQuery dataset.
- Next, you need to set the default encryption key for your BigQuery dataset using the KMS key you created in step 1.
- Finally, you need to verify that the default encryption key is set for your BigQuery dataset.