Skip to content

BigQuery Dataset Encryption Key

Service Name: Google BigQuery

Service Description: Google BigQuery is a fully-managed, serverless data warehouse that enables scalable analysis over petabytes of data. It is a platform for storing and querying massive datasets quickly using Google's infrastructure.

Service Address: https://cloud.google.com/bigquery

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the project level using VPC Service Controls or through IAM conditions.

Secret Access Scope: Grants ability to encrypt/decrypt data in BigQuery datasets, protecting sensitive information at rest.

Secret Revokement URL: https://cloud.google.com/kms/docs/rotating-keys

Secret Example: CiQAkfxgbBtYfW1+O82KGXCisnrPwSqFYzocEzKBaGAeVmGVZjUSZACu0Sv9Hn+IEwp+5H4hwX V5pzgFIbS0boBHQBRzgyhf6Bh6JKzZ

Suspicious Activity Investigation Instructions:

  • Review Cloud Audit Logs for unusual encryption/decryption operations
  • Check for unauthorized access to encrypted datasets
  • Monitor for changes to encryption key permissions
  • Examine any unusual query patterns against encrypted datasets
  • Review IAM permissions for the encryption keys to identify unauthorized access

Mitigation Instructions:

  • Rotate the compromised encryption key immediately
  • Create a new encryption key in Cloud KMS

  • Update BigQuery datasets to use the new encryption key

  • Revoke IAM permissions from the compromised key
  • Consider implementing automatic key rotation
  • Review and update access controls for Cloud KMS and BigQuery
  • Enable additional monitoring and alerting for encryption key usage