CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFailure to specify a customer-managed encryption key for BigQuery datasets results in the use of default Google-managed keys, reducing control over data encryption and potentially leading to unauthorized data access if Google's key management infrastructure is compromised.
Set the default_encryption_configuration.kms_key_name
attribute ingoogle_bigquery_dataset
resource to a valid Customer-Managed Encryption Key.
data "google_project" "project" {}
data "google_kms_key_ring" "my_key_ring" {
name = "keyring-example-714"
location = "us-central1"
}
resource "google_kms_crypto_key" "crypto_key" {
name = "crypto-key-example-741-3"
key_ring = data.google_kms_key_ring.my_key_ring.id
purpose = "ENCRYPT_DECRYPT"
}
resource "google_kms_crypto_key_iam_binding" "crypto_key-role" {
crypto_key_id = google_kms_crypto_key.crypto_key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:bq-${data.google_project.project.number}@bigquery-encryption.iam.gserviceaccount.com",
]
}
resource "google_bigquery_dataset" "allowed-dataset" {
dataset_id = "example_dataset_741"
friendly_name = "test"
description = "This is a test description"
location = "us-central1"
default_table_expiration_ms = 3600000
default_encryption_configuration {
kms_key_name = google_kms_crypto_key.crypto_key.id
}
depends_on = [google_kms_crypto_key_iam_binding.crypto_key-role]
}