More Info:

BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. This is seamless and does not require any additional input from the user. For greater control over the encryption, customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. Setting a Default Customer-managed encryption key (CMEK) for a data set ensure any tables created in future will use the specified CMEK if none other is provided.

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP, CBP, SOC2, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

To remediate the misconfiguration “Ensure Default CMEK Is Specified For BigQuery Data Sets” in GCP using GCP Console, you can follow the below steps:

  1. Open the BigQuery console in the GCP Console.

  2. In the navigation pane, select the dataset for which you want to set the default CMEK.

  3. Click on the “Edit” button (pencil icon) next to the dataset name.

  4. In the “Encryption” section, click on the “Change” button next to the “Default encryption” option.

  5. In the “Default encryption” dialog box, select the checkbox “Use a customer-managed key (CMEK)”.

  6. Select the appropriate key from the dropdown list or create a new key.

  7. Click on the “Save” button to save the changes.

  8. Repeat the above steps for all the datasets that need to be remediated.

By following the above steps, you can ensure that the default CMEK is specified for BigQuery datasets in GCP, and remediate the misconfiguration.

Additional Reading: