Profile Applicability
- Level 2
Description:
By default, BigQuery uses Envelope Encryption with Google-managed cryptographic keys to encrypt data at rest. However, for organizations seeking greater control over encryption, Customer-Managed Encryption Keys (CMEK) can be used to manage the encryption process. Specifying a default CMEK for a dataset ensures that any new tables created within the dataset will automatically use the specified CMEK, unless another key is explicitly provided.
Rationale:
Although BigQuery's default encryption with Google-managed keys is seamless and secure, using CMEK allows organizations to maintain direct control over the encryption keys. This approach aligns with compliance requirements and enhances security policies by ensuring encryption is managed and governed by the organization.
Note: Google does not store customer-managed keys or access data encrypted with CMEK unless explicitly provided. If a key is lost, the encrypted data cannot be recovered.
Impact:
Adopting CMEK introduces additional operational responsibilities, such as creating, managing, and protecting encryption keys. This may result in higher labor costs and increased effort for key lifecycle management.
Default Value:
By default, BigQuery datasets use Google-managed keys for encryption.
Audit Steps:
Using Google Cloud Console
Navigate to Analytics > BigQuery.
Under SQL Workspaces, select a project.
Choose a dataset and view its details.
Check the Dataset info section to ensure a Customer-managed key is specified.
Repeat for all datasets across all projects.
Using Google Cloud CLI:
List all datasets:
bq ls
View details for each dataset and verify the presence of kms Key Name:
bq show <DATASET_NAME>
Remediation Steps:
Using Google Cloud CLI
To set a default CMEK for an existing dataset:
Update the dataset with the desired CMEK by specifying the key in the Encryption Configuration kms Key Name field:
bq update --default_kms_key <CUSTOMER_MANAGED_KEY> <DATASET_NAME>
Backout Plan:
Step 1: Revert Encryption to Google-Managed Keys
If CMEK encryption needs to be removed, update the dataset to use Google-managed encryption:
bq update --clear_default_kms_key PROJECT_ID:DATASET_NAME
Step 2: Notify Stakeholders
If rollback is required, inform data security teams about encryption adjustments.
Step 3: Restore from Backup (If Necessary)
If encryption issues persist, restore the dataset from a previous backup.
Step 4: Validate Rollback Success
Run the audit steps again to confirm that CMEK is no longer enforced (if intentional).
References:
CIS Controls: