More Info:

BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. This is seamless and does not require any additional input from the user. For greater control over the encryption, customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. Setting a Default Customer-managed encryption key (CMEK) for a data set ensure any tables created in future will use the specified CMEK if none other is provided.

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP, CBP, SOC2, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Ensure Default CMEK Is Specified For BigQuery Data Sets” in GCP using GCP Console, you can follow the below steps:
  1. Open the BigQuery console in the GCP Console.
  2. In the navigation pane, select the dataset for which you want to set the default CMEK.
  3. Click on the “Edit” button (pencil icon) next to the dataset name.
  4. In the “Encryption” section, click on the “Change” button next to the “Default encryption” option.
  5. In the “Default encryption” dialog box, select the checkbox “Use a customer-managed key (CMEK)”.
  6. Select the appropriate key from the dropdown list or create a new key.
  7. Click on the “Save” button to save the changes.
  8. Repeat the above steps for all the datasets that need to be remediated.
By following the above steps, you can ensure that the default CMEK is specified for BigQuery datasets in GCP, and remediate the misconfiguration.

To remediate the misconfiguration “Ensure Default CMEK Is Specified For BigQuery Data Sets” for GCP using GCP CLI, follow the below steps:
  1. Open the Cloud Shell in the GCP console.
  2. Run the following command to list all the BigQuery datasets in the project: 
bq ls
  1. Identify the dataset for which you want to set the default CMEK.
  2. Run the following command to set the default CMEK for the identified dataset: 
bq update --default_kms_key_id=<KMS_KEY_ID> <DATASET_NAME>
Replace <KMS_KEY_ID> with the ID of the KMS key that you want to use as the default CMEK for the dataset and <DATASET_NAME> with the name of the dataset that you identified in step 3.
  1. Verify that the default CMEK has been set for the dataset by running the following command:
bq show <DATASET_NAME>
This will display the details of the dataset, including the default CMEK that has been set.
  1. Repeat steps 3 to 5 for all the BigQuery datasets in the project to ensure that the default CMEK is specified for all the datasets.
By following the above steps, you can remediate the misconfiguration “Ensure Default CMEK Is Specified For BigQuery Data Sets” for GCP using GCP CLI.
To remediate the misconfiguration “Ensure Default CMEK Is Specified For BigQuery Data Sets” in GCP using Python, you can follow the below steps:
  1. First, you need to create a Key Management Service (KMS) key ring and key in the same region as your BigQuery dataset.
from google.cloud import kms_v1
from google.cloud.kms_v1 import enums

client = kms_v1.KeyManagementServiceClient()

# Set the parent location of the key ring
parent = client.location_path(project_id, location)

# Set the key ring ID and key ID
key_ring_id = 'my-key-ring'
key_id = 'my-key'

# Create the key ring
key_ring = client.create_key_ring(parent, key_ring_id, {})

# Create the key
key = client.create_crypto_key(key_ring.name, key_id, enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT, {})
  1. Next, you need to set the default encryption key for your BigQuery dataset using the KMS key you created in step 1.
from google.cloud import bigquery

client = bigquery.Client()

# Set the dataset ID
dataset_id = 'my-dataset'

# Set the encryption configuration using the KMS key
encryption_config = bigquery.EncryptionConfiguration(
    kms_key_name=f"projects/{project_id}/locations/{location}/keyRings/{key_ring_id}/cryptoKeys/{key_id}"
)

# Set the default encryption configuration for the dataset
dataset = client.get_dataset(dataset_id)
dataset.encryption_configuration = encryption_config
client.update_dataset(dataset, ["encryption_configuration"])
  1. Finally, you need to verify that the default encryption key is set for your BigQuery dataset.
# Get the dataset and verify the encryption configuration
dataset = client.get_dataset(dataset_id)
print(f"Encryption configuration: {dataset.encryption_configuration}")
By following these steps, you can remediate the misconfiguration “Ensure Default CMEK Is Specified For BigQuery Data Sets” in GCP using Python.

Additional Reading: