BigQuery Dataset is not encrypted with Customer-Managed Encryption Key Affecting BigQuery service in Google


Severity

0.0
medium
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    Data / Encryption at Rest

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
  • Snyk ID SNYK-CC-00741
  • credit Snyk Research Team

Description

Failure to specify a customer-managed encryption key for BigQuery datasets results in the use of default Google-managed keys, reducing control over data encryption and potentially leading to unauthorized data access if Google's key management infrastructure is compromised.

How to fix?

Set the default_encryption_configuration.kms_key_name attribute ingoogle_bigquery_dataset resource to a valid Customer-Managed Encryption Key.

Example Configuration

data "google_project" "project" {}

data "google_kms_key_ring" "my_key_ring" {
  name     = "keyring-example-714"
  location = "us-central1"
}

resource "google_kms_crypto_key" "crypto_key" {
  name     = "crypto-key-example-741-3"
  key_ring = data.google_kms_key_ring.my_key_ring.id
  purpose  = "ENCRYPT_DECRYPT"

}

resource "google_kms_crypto_key_iam_binding" "crypto_key-role" {
  crypto_key_id = google_kms_crypto_key.crypto_key.id
  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"

  members = [
    "serviceAccount:bq-${data.google_project.project.number}@bigquery-encryption.iam.gserviceaccount.com",
  ]
}

resource "google_bigquery_dataset" "allowed-dataset" {
  dataset_id                  = "example_dataset_741"
  friendly_name               = "test"
  description                 = "This is a test description"
  location                    = "us-central1"
  default_table_expiration_ms = 3600000

  default_encryption_configuration {
    kms_key_name = google_kms_crypto_key.crypto_key.id
  }
  depends_on = [google_kms_crypto_key_iam_binding.crypto_key-role]
}