Google Cloud BigQuery

Customer Managed Encryption Disabled

Ensures that BigQuery dataset tables have CMEK encryption enabled.

Risk Level: Low

Description

This plugin ensures that the Google Cloud BigQuery dataset tables are encrypted using Customer-Managed Encryption. CMEK gives you more control over the key operations compared to the Google-managed encryption keys. These keys can be created by the users using the Google Cloud Key Management Service. They can be used to encrypt the object’s data, the object’s CRC32C checksum, and the MD5 hash.

About the Service

Google Cloud BigQuery:

BigQuery is Google Cloud’s serverless data warehouse that is designed to be highly scalable and helps in ingesting, storing, analyzing, and visualizing data easily. Data can be supplied in batches or streamed in real-time, allowing for real-time insights. Big Query also supports ANSI-compliant SQL. It offers high availability and is extremely cost-effective. To know more, read here.

Impact

Google-Managed Encryption Keys is the default encryption provided whenever a new BigQuery dataset table is created. However, GMEKs offer very little flexibility and make everything is transparent to the client. CMEKs, on the other hand, allow the user to tailor the encryption to their specific requirements, resulting in greater security.

Steps to Reproduce

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to BigQuery in the Big Data section. You can use this link here to navigate directly if you’re already logged in.
  4. On the Explorer page, double click on the dataset you wish to investigate and select a table from the list displayed.
  5. Click on Details to view the configuration details of the selected table.
  6. If the table has CMEK enabled, the key resource ID will be displayed in the Customer-Managed Encryption Key field. If it is not displayed, then CMEK is disabled for the selected table.
  7. Repeat steps 4 to 6 for all the BigQuery dataset tables you want to investigate in the selected project.
  8. If you have multiple projects, repeat steps 2 to 7 for each project in your GCP Console. 

Steps for Remediation

Determine whether or not you truly require customer-managed encryption to be disabled. If not, make the necessary changes to enable it using the steps below.


Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. To encrypt your BigQuery dataset tables using customer-managed keys, make sure that you first create a new key that can be used for this.
    NOTE: If you already have a CMEK that you wish to use, skip to step 10.
  4. From the navigation panel on the left side of the console, go to Security under the More products section and select Key management. You can click this link here to navigate directly if you’re already logged in.
  5. To create a key, you must first create a key ring. Click on the CREATE KEY RING button on the top bar. 

    NOTE: If you already have a key ring created that you wish to use, skip to step 7.
  6. In the Create key ring page, enter your desired Key ring name and select your preferred location type. Click the CREATE button to create the new key ring.
  7. Go to the newly created key ring and select the CREATE KEY button to create a new key.
  8. In the Create key page, select Generated key as the type of key you wish to create. Next, enter your preferred key name, choose your desired protection level, and select purpose as Symmetric encrypt/decrypt.
  9. Choose your required configurations for the key rotation period and click on CREATE to create the key.
  10. Note: Encryption settings for BigQuery dataset tables can only be changed through the Command Line Interface (CLI). Therefore, ensure that you have enabled the GKE API and have Cloud SDK installed. In case you do not have Cloud SDK installed, check out the link here to install it.
    Using GCP CLI-
  • Using your account credentials, configure the GCP CLI if you haven’t already.
  • Set up your glcoud command-line tool settings by using gcloud init command or gcloud config command.
  • Run the following command to grant encryption and decryption permission.
  • gcloud projects add-iam-policy-binding KMS_PROJECT_ID

    --member serviceAccount:bq-PROJECT_NUMBER@bigquery-encryption.iam.gserviceaccount.com

    --role roles/cloudkms.cryptoKeyEncrypterDecrypter
  • The output should have the CryptoKey Encrypter/Decrypter role displayed.
  • Next, run the command shown below to copy the selected BigQuery dataset table into the original table with CMEK.
    Note: Replace the destination_kms_key parameter with the name of your desired CMEK.
bq cp -f \

--destination_kms_key projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY \

DATASET_ID.TABLE_ID DATASET_ID.TABLE_ID

Note: To find the resource name of the key, go to the navigation panel on the left side of the console and click to Security under the All products section, and select Key management. Select your desired key ring and from the list of keys in that particular keyring, click the actions button (three-dot icon) and select the copy resource name option.

Repeat steps 3 to 10 for all the BigQuery dataset tables you want to reconfigure in the selected project.

If you have multiple projects, repeat steps 2 to 11 for each project in your GCP console.