More Info:

Ensure that BigQuery Tables are encrypted with CMKs

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP, CBP, HITRUST, SOC2, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “GCP BigQuery Tables Should Be Encrypted With Customer Managed Keys”, you can follow the below steps:
  1. Log in to your GCP console.
  2. Navigate to the BigQuery section.
  3. Select the dataset that contains the tables you want to encrypt.
  4. Click on the “Show Info Panel” button (i) next to the dataset name.
  5. In the “Encryption” section, click on the “Edit” button.
  6. Select the “Customer-managed encryption keys” option.
  7. Click on the “Create or select a key” button.
  8. Choose an existing key or create a new one.
  9. Click on the “Save” button.
  10. Repeat the above steps for each table in the dataset.
By following these steps, you can remediate the misconfiguration “GCP BigQuery Tables Should Be Encrypted With Customer Managed Keys” and ensure that your BigQuery tables are encrypted with customer-managed keys.

To remediate the misconfiguration of GCP BigQuery tables not being encrypted with customer-managed keys, you can follow the below steps using GCP CLI:
  1. Firstly, create a customer-managed encryption key in Cloud Key Management Service (KMS) using the following command:
gcloud kms keyrings create [KEYRING_NAME] --location [LOCATION]
gcloud kms keys create [KEY_NAME] --location [LOCATION] --keyring [KEYRING_NAME] --purpose encryption
Replace [KEYRING_NAME], [LOCATION] and [KEY_NAME] with your preferred values.
  1. Next, grant the BigQuery service account the necessary permissions to use the encryption key by running the following command:
gcloud kms keys add-iam-policy-binding [KEY_NAME] --location [LOCATION] --keyring [KEYRING_NAME] --member serviceAccount:[SERVICE_ACCOUNT_EMAIL] --role roles/cloudkms.cryptoKeyEncrypterDecrypter
Replace [KEYRING_NAME], [LOCATION], [KEY_NAME] and [SERVICE_ACCOUNT_EMAIL] with your preferred values.
  1. Now, create a new BigQuery dataset or update an existing one to use the customer-managed encryption key by running the following command:
bq update --default_table_expiration [INTEGER_VALUE] --description [DESCRIPTION] --encryption_kms_key_name projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING_NAME]/cryptoKeys/[KEY_NAME] [DATASET_NAME]
Replace [INTEGER_VALUE], [DESCRIPTION], [PROJECT_ID], [LOCATION], [KEYRING_NAME], [KEY_NAME] and [DATASET_NAME] with your preferred values.
  1. Finally, ensure that all existing tables in the dataset are encrypted with the customer-managed key by running the following command:
bq update --table_kms_key projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING_NAME]/cryptoKeys/[KEY_NAME] [DATASET_NAME].[TABLE_NAME]
Replace [PROJECT_ID], [LOCATION], [KEYRING_NAME], [KEY_NAME], [DATASET_NAME] and [TABLE_NAME] with your preferred values.By following the above steps, you can remediate the misconfiguration of GCP BigQuery tables not being encrypted with customer-managed keys.
To remediate the misconfiguration of GCP BigQuery Tables not being encrypted with customer managed keys, you can follow the below steps using Python:
  1. First, you need to create a customer-managed encryption key (CMEK) in the Google Cloud Key Management Service (KMS) using the following code:
from google.cloud import kms_v1
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('<path-to-service-account-key-file>')
kms_client = kms_v1.KeyManagementServiceClient(credentials=credentials)

parent = kms_client.key_ring_path('<project-id>', '<location>', '<key-ring>')
purpose = kms_v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT

response = kms_client.create_crypto_key(parent=parent, crypto_key_id='<key-id>', crypto_key={'purpose': purpose})
print(f'Created CMEK: {response.name}')
  1. Next, you need to update the BigQuery table to use the newly created CMEK for encryption using the following code:
from google.cloud import bigquery
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('<path-to-service-account-key-file>')
bq_client = bigquery.Client(credentials=credentials, project='<project-id>')

dataset_ref = bq_client.dataset('<dataset-id>')
table_ref = dataset_ref.table('<table-id>')
table = bq_client.get_table(table_ref)

table.encryption_configuration = bigquery.EncryptionConfiguration(
    kms_key_name=f'projects/<project-id>/locations/<location>/keyRings/<key-ring>/cryptoKeys/<key-id>'
)

table = bq_client.update_table(table, ['encryption_configuration'])
print(f'Table {table.table_id} is now encrypted with CMEK')
Once you run the above two code snippets, the BigQuery table will be encrypted with the newly created CMEK.

Additional Reading: