More Info:
Ensure that BigQuery Tables are encrypted with CMKsRisk Level
MediumAddress
SecurityCompliance Standards
CISGCP, CBP, HITRUST, SOC2, NISTCSF, PCIDSS, FedRAMPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “GCP BigQuery Tables Should Be Encrypted With Customer Managed Keys”, you can follow the below steps:
- Log in to your GCP console.
- Navigate to the BigQuery section.
- Select the dataset that contains the tables you want to encrypt.
- Click on the “Show Info Panel” button (i) next to the dataset name.
- In the “Encryption” section, click on the “Edit” button.
- Select the “Customer-managed encryption keys” option.
- Click on the “Create or select a key” button.
- Choose an existing key or create a new one.
- Click on the “Save” button.
- Repeat the above steps for each table in the dataset.
Using CLI
Using CLI
To remediate the misconfiguration of GCP BigQuery tables not being encrypted with customer-managed keys, you can follow the below steps using GCP CLI:Replace Replace Replace Replace
- Firstly, create a customer-managed encryption key in Cloud Key Management Service (KMS) using the following command:
[KEYRING_NAME]
, [LOCATION]
and [KEY_NAME]
with your preferred values.- Next, grant the BigQuery service account the necessary permissions to use the encryption key by running the following command:
[KEYRING_NAME]
, [LOCATION]
, [KEY_NAME]
and [SERVICE_ACCOUNT_EMAIL]
with your preferred values.- Now, create a new BigQuery dataset or update an existing one to use the customer-managed encryption key by running the following command:
[INTEGER_VALUE]
, [DESCRIPTION]
, [PROJECT_ID]
, [LOCATION]
, [KEYRING_NAME]
, [KEY_NAME]
and [DATASET_NAME]
with your preferred values.- Finally, ensure that all existing tables in the dataset are encrypted with the customer-managed key by running the following command:
[PROJECT_ID]
, [LOCATION]
, [KEYRING_NAME]
, [KEY_NAME]
, [DATASET_NAME]
and [TABLE_NAME]
with your preferred values.By following the above steps, you can remediate the misconfiguration of GCP BigQuery tables not being encrypted with customer-managed keys.Using Python
Using Python
To remediate the misconfiguration of GCP BigQuery Tables not being encrypted with customer managed keys, you can follow the below steps using Python:Once you run the above two code snippets, the BigQuery table will be encrypted with the newly created CMEK.
- First, you need to create a customer-managed encryption key (CMEK) in the Google Cloud Key Management Service (KMS) using the following code:
- Next, you need to update the BigQuery table to use the newly created CMEK for encryption using the following code: