Ensure GCP Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEKs)

Error: GCP Big Table Instances are not encrypted with Customer Supplied Encryption Keys (CSEKs)

Bridgecrew Policy ID: BC_GCP_GENERAL_14
Checkov Check ID: CKV_GCP_85
Severity: LOW

GCP Big Table Instances are not encrypted with Customer Supplied Encryption Keys (CSEKs)

Description

Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. Google Compute Engine encrypts all data at rest by default. Compute Engine handles and manages this encryption automatically, with no additional action required. When you provide your own encryption keys Compute Engine uses your key to protect the Google-generated keys used to encrypt and decrypt your data. Only users that provide the correct key can use resources protected by a customer-supplied encryption key. Google does not store your keys on its servers and cannot access your protected data unless you provide the key. If you forget or lose your key Google is unable to recover the key or to recover any data encrypted with that key. To control and manage this encryption yourself, you must provide your own encryption keys.

We recommend you supply your own encryption keys for Google to use, at a minimum to encrypt business critical Big Table Instances. This helps protect the Google-generated keys used to encrypt and decrypt your data.

Fix - Runtime

TBD

Fix - Buildtime

Terraform

  • Resource: google_bigtable_instance
  • Arguments: cluster.kms_key_name
resource "google_bigtable_instance" "pass" {
  name = "tf-instance"

  cluster {
    cluster_id   = "tf-instance-cluster"
    num_nodes    = 1
    storage_type = "HDD"
    kms_key_name = google_kms_crypto_key.example.name
  }

  labels = {
    my-label = "prod-label"
  }
}