Profile Applicability

  • Level 2

Description:

By default, BigQuery uses Envelope Encryption with Google-managed cryptographic keys to encrypt data at rest. However, for organizations seeking greater control over encryption, Customer-Managed Encryption Keys (CMEK) can be used to manage the encryption process. Specifying a default CMEK for a dataset ensures that any new tables created within the dataset will automatically use the specified CMEK, unless another key is explicitly provided.

Rationale:

Although BigQuery's default encryption with Google-managed keys is seamless and secure, using CMEK allows organizations to maintain direct control over the encryption keys. This approach aligns with compliance requirements and enhances security policies by ensuring encryption is managed and governed by the organization.
Note: Google does not store customer-managed keys or access data encrypted with CMEK unless explicitly provided. If a key is lost, the encrypted data cannot be recovered.

Impact:
Adopting CMEK introduces additional operational responsibilities, such as creating, managing, and protecting encryption keys. This may result in higher labor costs and increased effort for key lifecycle management.

Default Value:

By default, BigQuery datasets use Google-managed keys for encryption.

Audit Steps:

Using Google Cloud Console
  1. Navigate to Analytics > BigQuery.

                       

  1. Under SQL Workspaces, select a project.

                   

  1. Choose a dataset and view its details.

               

  1. Check the Dataset info section to ensure a Customer-managed key is specified.

           

  1. Repeat for all datasets across all projects.

Using Google Cloud CLI:

List all datasets:

bq ls

View details for each dataset and verify the presence of kms Key Name:

bq show <DATASET_NAME>

Remediation Steps:

Using Google Cloud CLI

To set a default CMEK for an existing dataset:

Update the dataset with the desired CMEK by specifying the key in the Encryption Configuration kms Key Name field:

bq update --default_kms_key <CUSTOMER_MANAGED_KEY> <DATASET_NAME>

Backout Plan:

Step 1: Revert Encryption to Google-Managed Keys

If CMEK encryption needs to be removed, update the dataset to use Google-managed encryption:

bq update --clear_default_kms_key PROJECT_ID:DATASET_NAME

Step 2: Notify Stakeholders

  • If rollback is required, inform data security teams about encryption adjustments.

Step 3: Restore from Backup (If Necessary)

  • If encryption issues persist, restore the dataset from a previous backup.

Step 4: Validate Rollback Success

  • Run the audit steps again to confirm that CMEK is no longer enforced (if intentional).

References:

  1. BigQuery Customer-Managed Encryption

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

3.11 Encrypt Sensitive Data at Rest

Encrypt sensitive data stored on servers, applications, and databases using server-side or client-side encryption.


14.8 Encrypt Sensitive Information

Encrypt all sensitive information at rest using tools that require secondary authentication mechanisms separate from the operating system to access the data.