Detections
Analytics

Ensure KMS customer managed keys are used in Google Dataflow Job

MEDIUM

Description

Using customer managed keys will give administrators control over how data is encrypted to better meet compliance regulations, as well as allow for a more specific key rotation period. Using system-generated keys can sometimes lead to expired or exposed keys remaining in use, leading to insecure data. It is often recommended to use a customer managed key when the service is available.

Remediation

In GCP Console -

  1. Open the GCP Portal and go to Dataflow.
  2. Select Create job from template.
  3. Under Encryption, Choose Customer-managed encryption key (CMEK).
  4. Choose the Customer-managed key from the dropdown.

In Terraform -

  1. In the google_dataflow_job resource, set the attribute kms_key_name to a valid key name.
  2. Use the key format: projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY

References:
https://cloud.google.com/dataflow/docs/guides/customer-managed-encryption-keys#cloud_console
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dataflow_job#kms_key_name

Policy Details

Rule Reference ID: AC_GCP_0283
CSP: GCP
Remediation Available: Yes
Domain: Data Protection
Resource: google_dataflow_job
Resource Category: Analytics
Resource Type: Dataflow

Frameworks