Control: GCP > CIS v2.0 > 7 - BigQuery > 7.02 - Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)

Configures auditing against a CIS Benchmark item.

Level: 2

BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.

Resource Types

This control targets the following resource types:

GCP > BigQuery > Table

Primary Policies

The following policies can be used to configure this control:

7.02 - Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)

In Your Workspace

Developers

Control Type URI

tmod:@turbot/gcp-cisv2-0#/control/types/r0702

Category URI

tmod:@turbot/cis#/control/categories/v071408

GraphQL

query controlType(id: "tmod:@turbot/gcp-cisv2-0#/control/types/r0702") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/gcp-cisv2-0#/control/types/r0702'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/gcp-cisv2-0#/control/types/r0702"