BigQuery Dataset Encryption Key
Service Name: Google BigQuery
Service Description: Google BigQuery is a fully-managed, serverless data warehouse that enables scalable analysis over petabytes of data. It is a platform for storing and querying massive datasets quickly using Google's infrastructure.
Service Address: https://cloud.google.com/bigquery
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the project level using VPC Service Controls or through IAM conditions.
Secret Access Scope: Grants ability to encrypt/decrypt data in BigQuery datasets, protecting sensitive information at rest.
Secret Revokement URL: https://cloud.google.com/kms/docs/rotating-keys
Secret Example: CiQAkfxgbBtYfW1+O82KGXCisnrPwSqFYzocEzKBaGAeVmGVZjUSZACu0Sv9Hn+IEwp+5H4hwX V5pzgFIbS0boBHQBRzgyhf6Bh6JKzZ
Suspicious Activity Investigation Instructions:
- Review Cloud Audit Logs for unusual encryption/decryption operations
- Check for unauthorized access to encrypted datasets
- Monitor for changes to encryption key permissions
- Examine any unusual query patterns against encrypted datasets
- Review IAM permissions for the encryption keys to identify unauthorized access
Mitigation Instructions:
- Rotate the compromised encryption key immediately
-
Create a new encryption key in Cloud KMS
-
Update BigQuery datasets to use the new encryption key
- Revoke IAM permissions from the compromised key
- Consider implementing automatic key rotation
- Review and update access controls for Cloud KMS and BigQuery
- Enable additional monitoring and alerting for encryption key usage