Bigquery datasets encrypted with cmek remediation

Using Console

Using CLI

To remediate the misconfiguration “Ensure Default CMEK Is Specified For BigQuery Data Sets” for GCP using GCP CLI, follow the below steps:

Open the Cloud Shell in the GCP console.
Run the following command to list all the BigQuery datasets in the project:

bq ls

Identify the dataset for which you want to set the default CMEK.
Run the following command to set the default CMEK for the identified dataset:

bq update --default_kms_key_id=<KMS_KEY_ID> <DATASET_NAME>

Replace <KMS_KEY_ID> with the ID of the KMS key that you want to use as the default CMEK for the dataset and <DATASET_NAME> with the name of the dataset that you identified in step 3.

Verify that the default CMEK has been set for the dataset by running the following command:

bq show <DATASET_NAME>

This will display the details of the dataset, including the default CMEK that has been set.

Repeat steps 3 to 5 for all the BigQuery datasets in the project to ensure that the default CMEK is specified for all the datasets.

By following the above steps, you can remediate the misconfiguration “Ensure Default CMEK Is Specified For BigQuery Data Sets” for GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Ensure Default CMEK Is Specified For BigQuery Data Sets” in GCP using Python, you can follow the below steps:

First, you need to create a Key Management Service (KMS) key ring and key in the same region as your BigQuery dataset.

from google.cloud import kms_v1
from google.cloud.kms_v1 import enums

client = kms_v1.KeyManagementServiceClient()

# Set the parent location of the key ring
parent = client.location_path(project_id, location)

# Set the key ring ID and key ID
key_ring_id = 'my-key-ring'
key_id = 'my-key'

# Create the key ring
key_ring = client.create_key_ring(parent, key_ring_id, {})

# Create the key
key = client.create_crypto_key(key_ring.name, key_id, enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT, {})

Next, you need to set the default encryption key for your BigQuery dataset using the KMS key you created in step 1.

from google.cloud import bigquery

client = bigquery.Client()

# Set the dataset ID
dataset_id = 'my-dataset'

# Set the encryption configuration using the KMS key
encryption_config = bigquery.EncryptionConfiguration(
    kms_key_name=f"projects/{project_id}/locations/{location}/keyRings/{key_ring_id}/cryptoKeys/{key_id}"
)

# Set the default encryption configuration for the dataset
dataset = client.get_dataset(dataset_id)
dataset.encryption_configuration = encryption_config
client.update_dataset(dataset, ["encryption_configuration"])

Finally, you need to verify that the default encryption key is set for your BigQuery dataset.

# Get the dataset and verify the encryption configuration
dataset = client.get_dataset(dataset_id)
print(f"Encryption configuration: {dataset.encryption_configuration}")

By following these steps, you can remediate the misconfiguration “Ensure Default CMEK Is Specified For BigQuery Data Sets” in GCP using Python.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Bigquery datasets encrypted with cmek remediation

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​Triage and Remediation

​Remediation

Triage and Remediation

Remediation