Turbot Guardrails Hub 
Hub
  • Mods
  • Policy Packs
  • Docs
  • Home
ModsPolicy PacksDocsHome
Mods
GCP
Loading policies...

Policy: GCP > CIS v4.0 > 7 - BigQuery > 7.02 - Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)

Configures auditing against a CIS Benchmark item.

Level: 2

BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.

Targets

This policy targets the following resource types:

  • GCP > BigQuery > Table

Primary Policy

This policy is used with the following primary policy:

  • GCP > CIS v4.0 > 7 - BigQuery

Controls

Setting this policy configures this control:

  • GCP > CIS v4.0 > 7 - BigQuery > 7.02 - Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)

Policy Specification

Schema Type
string
Default
Per GCP > CIS v4.0 > 7 - BigQuery
Valid Values [YAML]
  • Per GCP > CIS v4.0 > 7 - BigQuery

  • Skip

  • Check: Benchmark

Category

  • CIS > Controls v7 > 14 Controlled Access Based on the Need to Know > 14.08 Encrypt Sensitive Information at Rest

In Your Workspace

  • Policy Settings by Type report

Developers

    Category URI
    • tmod:@turbot/cis#/control/categories/v071408
    • Policy Type URI
    • tmod:@turbot/gcp-cisv4-0#/policy/types/r0702
    • GraphQL
    • query policyType(id: "tmod:@turbot/gcp-cisv4-0#/policy/types/r0702") { … }
    • query policySettings(filter: "policyTypeId:'tmod:@turbot/gcp-cisv4-0#/policy/types/r0702'") { … }
    • query policyValues(filter: "policyTypeId:'tmod:@turbot/gcp-cisv4-0#/policy/types/r0702'") { … }
    • CLI
    • Get Policy Type
    • turbot graphql policy-type --id "tmod:@turbot/gcp-cisv4-0#/policy/types/r0702"
      • Get Policy Settings
    • turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/gcp-cisv4-0#/policy/types/r0702"
Guardrails
Guardrails Hub
  • Hub
  • Docs
  • Blog
  • Changelog
Products
  • GuardrailsGuardrails
  • PipesPipes
  • SteampipeSteampipe
  • PowerpipePowerpipe
  • FlowpipeFlowpipe
  • TailpipeTailpipe
Turbot
  • Home
  • About us
  • We're hiring!
  • Contact us
Community

Our community of practitioners love to discuss cloud governance & security.

Slack logoJoin us on Slack →

System StatusLegalSecurity
Terms of UseSecurityPrivacy
39
Mods
130
Resource Types
2,226
Policies
1,100
Controls
35
Quick Actions
83
IAM