Ensure that your Google Cloud Dataproc clusters are encrypted with Customer-Managed Keys (CMKs) in order to have a fine control over the cluster data encryption/decryption process. You can create and manage your own Customer-Managed Keys (CMKs) with Cloud Key Management Service (Cloud KMS). Cloud KMS provides secure and efficient encryption key management, controlled key rotation, and revocation mechanisms.
By default, the Dataproc service encrypts all data at rest using Google-managed encryption keys. The Dataproc cluster data is encrypted using a Google-generated Data Encryption Key (DEK) and a Key Encryption Key (KEK). If you need to control and manage your cluster data encryption yourself, you can use your own Customer-Managed Keys (CMKs). Cloud KMS Customer-Managed Keys can be implemented as an additional security layer on top of existing data encryption, and are often used in the enterprise world, where compliance and security controls are very strict.
To determine if your Google Cloud Dataproc clusters are encrypted with Customer-Managed Keys (CMKs), perform the following operations:
Remediation / Resolution
To enable encryption with Cloud KMS Customer-Managed Keys (CMKs) for your Google Cloud Dataproc clusters, you have to re-create the existing Dataproc clusters with the appropriate encryption configuration by performing the following operations:
- Google Cloud Platform (GCP) Documentation
- Cloud Key Management
- Creating symmetric keys
- Cloud KMS resources
- ENCRYPTION AT REST
- Customer managed encryption keys (CMEK)
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enable Dataproc Cluster Encryption with Customer-Managed Keys
Risk level: High