Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “GCP BigQuery Tables Should Be Encrypted With Customer Managed Keys”, you can follow the below steps:
- Log in to your GCP console.
- Navigate to the BigQuery section.
- Select the dataset that contains the tables you want to encrypt.
- Click on the “Show Info Panel” button (i) next to the dataset name.
- In the “Encryption” section, click on the “Edit” button.
- Select the “Customer-managed encryption keys” option.
- Click on the “Create or select a key” button.
- Choose an existing key or create a new one.
- Click on the “Save” button.
- Repeat the above steps for each table in the dataset.
Using CLI
Using CLI
To remediate the misconfiguration of GCP BigQuery tables not being encrypted with customer-managed keys, you can follow the below steps using GCP CLI:Replace Replace Replace Replace
- Firstly, create a customer-managed encryption key in Cloud Key Management Service (KMS) using the following command:
[KEYRING_NAME], [LOCATION] and [KEY_NAME] with your preferred values.- Next, grant the BigQuery service account the necessary permissions to use the encryption key by running the following command:
[KEYRING_NAME], [LOCATION], [KEY_NAME] and [SERVICE_ACCOUNT_EMAIL] with your preferred values.- Now, create a new BigQuery dataset or update an existing one to use the customer-managed encryption key by running the following command:
[INTEGER_VALUE], [DESCRIPTION], [PROJECT_ID], [LOCATION], [KEYRING_NAME], [KEY_NAME] and [DATASET_NAME] with your preferred values.- Finally, ensure that all existing tables in the dataset are encrypted with the customer-managed key by running the following command:
[PROJECT_ID], [LOCATION], [KEYRING_NAME], [KEY_NAME], [DATASET_NAME] and [TABLE_NAME] with your preferred values.By following the above steps, you can remediate the misconfiguration of GCP BigQuery tables not being encrypted with customer-managed keys.Using Python
Using Python
To remediate the misconfiguration of GCP BigQuery Tables not being encrypted with customer managed keys, you can follow the below steps using Python:Once you run the above two code snippets, the BigQuery table will be encrypted with the newly created CMEK.
- First, you need to create a customer-managed encryption key (CMEK) in the Google Cloud Key Management Service (KMS) using the following code:
- Next, you need to update the BigQuery table to use the newly created CMEK for encryption using the following code: