Steampipe mods are now Powerpipe →
Powerpipe Hub 
Hub
Mods
turbot/terraform_gcp_compliance
Overview
21Dashboards
132Controls
132Queries
2Variables
GitHub
Loading controls...

Control: Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)

Description

BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and does not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery tables. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.

Usage

Run the control in your terminal:

powerpipe control run terraform_gcp_compliance.control.bigquery_table_encrypted_with_cmk

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run terraform_gcp_compliance.control.bigquery_table_encrypted_with_cmk --share

SQL

This control uses a named query:

bigquery_table_encrypted_with_cmk

Tags

category = Compliance
cis = true
cis_item_id = 7.2
cis_level = 2
cis_type = automated
plugin = terraform
service = GCP/BigQuery