GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
GCP BigQuery Tables Should Be Encrypted With Customer Managed Keys
More Info:
Ensure that BigQuery Tables are encrypted with CMKs
Risk Level
Medium
Address
Security
Compliance Standards
CISGCP, CBP, HITRUST, SOC2, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
To remediate the misconfiguration “GCP BigQuery Tables Should Be Encrypted With Customer Managed Keys”, you can follow the below steps:
-
Log in to your GCP console.
-
Navigate to the BigQuery section.
-
Select the dataset that contains the tables you want to encrypt.
-
Click on the “Show Info Panel” button (i) next to the dataset name.
-
In the “Encryption” section, click on the “Edit” button.
-
Select the “Customer-managed encryption keys” option.
-
Click on the “Create or select a key” button.
-
Choose an existing key or create a new one.
-
Click on the “Save” button.
-
Repeat the above steps for each table in the dataset.
By following these steps, you can remediate the misconfiguration “GCP BigQuery Tables Should Be Encrypted With Customer Managed Keys” and ensure that your BigQuery tables are encrypted with customer-managed keys.
To remediate the misconfiguration of GCP BigQuery tables not being encrypted with customer-managed keys, you can follow the below steps using GCP CLI:
- Firstly, create a customer-managed encryption key in Cloud Key Management Service (KMS) using the following command:
gcloud kms keyrings create [KEYRING_NAME] --location [LOCATION]
gcloud kms keys create [KEY_NAME] --location [LOCATION] --keyring [KEYRING_NAME] --purpose encryption
Replace [KEYRING_NAME], [LOCATION] and [KEY_NAME] with your preferred values.
- Next, grant the BigQuery service account the necessary permissions to use the encryption key by running the following command:
gcloud kms keys add-iam-policy-binding [KEY_NAME] --location [LOCATION] --keyring [KEYRING_NAME] --member serviceAccount:[SERVICE_ACCOUNT_EMAIL] --role roles/cloudkms.cryptoKeyEncrypterDecrypter
Replace [KEYRING_NAME], [LOCATION], [KEY_NAME] and [SERVICE_ACCOUNT_EMAIL] with your preferred values.
- Now, create a new BigQuery dataset or update an existing one to use the customer-managed encryption key by running the following command:
bq update --default_table_expiration [INTEGER_VALUE] --description [DESCRIPTION] --encryption_kms_key_name projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING_NAME]/cryptoKeys/[KEY_NAME] [DATASET_NAME]
Replace [INTEGER_VALUE], [DESCRIPTION], [PROJECT_ID], [LOCATION], [KEYRING_NAME], [KEY_NAME] and [DATASET_NAME] with your preferred values.
- Finally, ensure that all existing tables in the dataset are encrypted with the customer-managed key by running the following command:
bq update --table_kms_key projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEYRING_NAME]/cryptoKeys/[KEY_NAME] [DATASET_NAME].[TABLE_NAME]
Replace [PROJECT_ID], [LOCATION], [KEYRING_NAME], [KEY_NAME], [DATASET_NAME] and [TABLE_NAME] with your preferred values.
By following the above steps, you can remediate the misconfiguration of GCP BigQuery tables not being encrypted with customer-managed keys.
To remediate the misconfiguration of GCP BigQuery Tables not being encrypted with customer managed keys, you can follow the below steps using Python:
- First, you need to create a customer-managed encryption key (CMEK) in the Google Cloud Key Management Service (KMS) using the following code:
from google.cloud import kms_v1
from google.oauth2 import service_account
credentials = service_account.Credentials.from_service_account_file('<path-to-service-account-key-file>')
kms_client = kms_v1.KeyManagementServiceClient(credentials=credentials)
parent = kms_client.key_ring_path('<project-id>', '<location>', '<key-ring>')
purpose = kms_v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT
response = kms_client.create_crypto_key(parent=parent, crypto_key_id='<key-id>', crypto_key={'purpose': purpose})
print(f'Created CMEK: {response.name}')
- Next, you need to update the BigQuery table to use the newly created CMEK for encryption using the following code:
from google.cloud import bigquery
from google.oauth2 import service_account
credentials = service_account.Credentials.from_service_account_file('<path-to-service-account-key-file>')
bq_client = bigquery.Client(credentials=credentials, project='<project-id>')
dataset_ref = bq_client.dataset('<dataset-id>')
table_ref = dataset_ref.table('<table-id>')
table = bq_client.get_table(table_ref)
table.encryption_configuration = bigquery.EncryptionConfiguration(
kms_key_name=f'projects/<project-id>/locations/<location>/keyRings/<key-ring>/cryptoKeys/<key-id>'
)
table = bq_client.update_table(table, ['encryption_configuration'])
print(f'Table {table.table_id} is now encrypted with CMEK')
Once you run the above two code snippets, the BigQuery table will be encrypted with the newly created CMEK.