Severity Framework
Snyk CCSS
Rule category
Data / Encryption at Rest
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
- Snyk ID SNYK-CC-00741
- credit Snyk Research Team
Description
Failure to specify a customer-managed encryption key for BigQuery datasets results in the use of default Google-managed keys, reducing control over data encryption and potentially leading to unauthorized data access if Google's key management infrastructure is compromised.
How to fix?
Set the default_encryption_configuration.kms_key_name attribute ingoogle_bigquery_dataset resource to a valid Customer-Managed Encryption Key.
Example Configuration
data "google_project" "project" {}
data "google_kms_key_ring" "my_key_ring" {
name = "keyring-example-714"
location = "us-central1"
}
resource "google_kms_crypto_key" "crypto_key" {
name = "crypto-key-example-741-3"
key_ring = data.google_kms_key_ring.my_key_ring.id
purpose = "ENCRYPT_DECRYPT"
}
resource "google_kms_crypto_key_iam_binding" "crypto_key-role" {
crypto_key_id = google_kms_crypto_key.crypto_key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:bq-${data.google_project.project.number}@bigquery-encryption.iam.gserviceaccount.com",
]
}
resource "google_bigquery_dataset" "allowed-dataset" {
dataset_id = "example_dataset_741"
friendly_name = "test"
description = "This is a test description"
location = "us-central1"
default_table_expiration_ms = 3600000
default_encryption_configuration {
kms_key_name = google_kms_crypto_key.crypto_key.id
}
depends_on = [google_kms_crypto_key_iam_binding.crypto_key-role]
}