Policy: GCP > CIS v2.0 > 7 - BigQuery > 7.03 - Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets

Configures auditing against a CIS Benchmark item.

Level: 2

BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.

Resource Types

This policy targets the following resource types:

GCP > BigQuery > Dataset

Primary Policy

This policy is used with the following primary policy:

GCP > CIS v2.0 > 7 - BigQuery

Controls

Policy Specification

Schema Type	`string`
Default	`Per GCP > CIS v2.0 > 7 - BigQuery`
Valid Values [YAML]	`Per GCP > CIS v2.0 > 7 - BigQuery` `Skip` `Check: Benchmark`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/v071408

Policy Type URI

tmod:@turbot/gcp-cisv2-0#/policy/types/r0703

GraphQL

query policyType(id: "tmod:@turbot/gcp-cisv2-0#/policy/types/r0703") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/gcp-cisv2-0#/policy/types/r0703'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/gcp-cisv2-0#/policy/types/r0703'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/gcp-cisv2-0#/policy/types/r0703"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/gcp-cisv2-0#/policy/types/r0703"