Policy: GCP > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key

Configures auditing against a CIS Benchmark item.

Level: 2

When you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated with the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK).

Resource Types

This policy targets the following resource types:

GCP > Dataproc > Cluster

Primary Policy

This policy is used with the following primary policy:

GCP > CIS v2.0 > 1 - Identity and Access Management

Controls

Policy Specification

Schema Type	`string`
Default	`Per GCP > CIS v2.0 > 1 - Identity and Access Management`
Valid Values [YAML]	`Per GCP > CIS v2.0 > 1 - Identity and Access Management` `Skip` `Check: Benchmark`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/v071408

Policy Type URI

tmod:@turbot/gcp-cisv2-0#/policy/types/r0117

GraphQL

query policyType(id: "tmod:@turbot/gcp-cisv2-0#/policy/types/r0117") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/gcp-cisv2-0#/policy/types/r0117'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/gcp-cisv2-0#/policy/types/r0117'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/gcp-cisv2-0#/policy/types/r0117"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/gcp-cisv2-0#/policy/types/r0117"