Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Customer-Managed Encryption Keys (CMEK) for AlloyDB Clusters

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: AlloyDB-002

Ensure that your Google Cloud Platform (GCP) AlloyDB database clusters are encrypted using customer-managed encryption keys (CMEK) instead of the default Google-managed encryption keys. CMEK provides greater control over your encryption keys, allowing your organization to create, rotate, and manage encryption keys through Cloud Key Management Service (Cloud KMS). This ensures compliance with regulatory requirements and enhances data security by giving your organization full ownership and control over the encryption strategy. CMEK supports symmetric keys, Cloud Hardware Security Module (HSM) keys, and Cloud External Key Manager (Cloud EKM) keys. The encryption key must be configured in the same Cloud KMS location as your AlloyDB cluster to ensure proper functionality.

Security

By using customer-managed encryption keys (CMEK) for AlloyDB clusters, organizations gain complete control over their encryption keys and data protection strategy. CMEK enables you to manage key protection levels, locations, rotation schedules, access permissions, and cryptographic boundaries through Cloud KMS, ensuring that encryption practices align with organizational security policies and compliance requirements. With CMEK, you can define who can access your data by controlling the permissions on your encryption keys, implement custom key rotation policies, and maintain an audit trail of all key usage through Cloud Audit Logs. Additionally, CMEK provides the ability to render data inaccessible by disabling or deleting the encryption key, giving organizations an additional layer of control in data breach scenarios or during offboarding processes. Without CMEK, organizations rely entirely on Google's default encryption practices, which may not meet specific compliance frameworks or internal security standards that require customer-controlled encryption key management.

Important: If a Cloud KMS key is deleted, any AlloyDB clusters encrypted with that key become permanently inaccessible and the data cannot be recovered. If a Cloud KMS key is disabled, AlloyDB instances will experience downtime within 30 minutes. If Cloud KMS becomes unavailable for more than 30 minutes, AlloyDB will take the cluster offline. Additionally, AlloyDB clusters do not automatically re-encrypt themselves with newer key versions after rotation; full data re-encryption requires a manual backup and restore operation to a new cluster.

Audit

To determine if your AlloyDB clusters are encrypted with customer-managed encryption keys (CMEK), perform the following operations:

Using GCP Console

  1. Sign in to Google Cloud Management Console.

  2. Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

  3. Navigate to AlloyDB for PostgreSQL console available at https://console.cloud.google.com/alloydb.

  4. In the Clusters tab, review the Encryption column for each AlloyDB cluster listed in the selected project.

  5. If the Encryption column displays Google-managed, the selected AlloyDB cluster is using Google-managed encryption keys instead of customer-managed encryption keys (CMEK), therefore the cluster configuration is not compliant.

  6. Repeat steps no. 4 – 5 for each AlloyDB cluster available in the selected project.

  7. Repeat steps no. 2 – 5 for each project available within your Google Cloud account.

Using GCP CLI

  1. Run projects list command (Windows/macOS/Linux) to list all the project IDs available in your Google Cloud account:

    gcloud projects list
	--format="table(projectId)"

  2. The command output should return the requested GCP project identifiers:

    PROJECT_ID
cc-web-project-112233
cc-data-project-445566

  3. Run alloydb clusters list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to list the names and regions of all AlloyDB clusters available in the selected project:

    gcloud alloydb clusters list
	--project cc-web-project-112233
	--format="table(name,region)"

  4. The command output should return the requested AlloyDB cluster information:

    NAME                    REGION
cc-prod-alloydb-cluster us-central1
cc-dev-alloydb-cluster  us-east1

  5. Run alloydb clusters describe command (Windows/macOS/Linux) using the name and region of the AlloyDB cluster that you want to examine:

    gcloud alloydb clusters describe cc-prod-alloydb-cluster
	--region us-central1
	--project cc-web-project-112233
	--format=json

  6. The command output should return the cluster configuration metadata as JSON:

    {
	"name": "projects/cc-web-project-112233/locations/us-central1/clusters/cc-prod-alloydb-cluster",
	"uid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
	"createTime": "2024-11-15T10:30:00.123456Z",
	"updateTime": "2024-11-15T10:45:00.123456Z",
	"state": "READY",
	"clusterType": "PRIMARY",
	"databaseVersion": "POSTGRES_14",
	"network": "projects/cc-web-project-112233/global/networks/default",
	"encryptionConfig": {},
	"encryptionInfo": {
		"encryptionType": "GOOGLE_DEFAULT_ENCRYPTION"
	}
}

  7. Check the encryptionInfo.encryptionType attribute value in the command output. If encryptionInfo.encryptionType is set to GOOGLE_DEFAULT_ENCRYPTION, as shown in the output example above, the selected AlloyDB cluster is encrypted with Google-managed encryption keys instead of customer-managed encryption keys (CMEK), therefore the cluster configuration is not compliant. If the encryptionInfo section contains a kmsKeyVersionName attribute with a Cloud KMS key resource name, the cluster is using CMEK.

  8. Repeat steps no. 5 – 7 to verify the encryption configuration for other AlloyDB clusters available in the selected project.

  9. Repeat steps no. 3 – 8 for each project available within your Google Cloud account.

Remediation / Resolution

To enable customer-managed encryption keys (CMEK) for your Google Cloud AlloyDB clusters, you must create a new AlloyDB cluster with CMEK configured, migrate your data from the existing cluster to the new cluster, and then delete the old cluster. Before creating the new cluster, you must create a Cloud KMS encryption key and grant the AlloyDB service agent the necessary permissions to use the key. Perform the following operations:

Note: Important: AlloyDB does not support modifying the encryption type of an existing cluster from Google-managed keys to customer-managed encryption keys (CMEK). You must create a new cluster with CMEK enabled and migrate your data. Ensure that you have appropriate backup and migration strategies in place before proceeding. The Cloud KMS encryption key must be created in the same region as your AlloyDB cluster. Deleting or disabling the CMEK key will make your AlloyDB cluster data inaccessible.

Using GCP Console

  1. Sign in to Google Cloud Management Console.

  2. Select the Google Cloud Platform (GCP) project that contains the AlloyDB cluster you want to reconfigure from the console top navigation bar.

  3. Step 1: Create a Cloud KMS Encryption Key

    Navigate to Key Management console available at https://console.cloud.google.com/security/kms.

  4. If you don't have an existing key ring in the same region as your AlloyDB cluster, click Create key ring and perform the following:

    1. For Key ring name, provide a unique name for the key ring (e.g., cc-alloydb-keyring).
    2. For Location type, select Region.
    3. For Region, select the same region where your AlloyDB cluster is located (e.g., us-central1).
    4. Click Create to create the key ring.

  5. Select the key ring you created or an existing key ring in the same region as your AlloyDB cluster.

  6. Click Create key and perform the following operations:

    1. For Key name, provide a unique name for the encryption key (e.g., cc-alloydb-cmek-key).
    2. For Protection level, select Software, HSM, or External based on your security requirements.
    3. For Key material, ensure Generated key is selected.
    4. For Purpose, select Symmetric encrypt/decrypt.
    5. (Optional) Configure Rotation period to automatically rotate the key at specified intervals.
    6. Click Create to create the encryption key.

  7. Step 2: Grant AlloyDB Service Agent Permissions

    In the Google Cloud Console, click on Activate Cloud Shell icon in the top-right corner to open Cloud Shell.

  8. Run the following command to create the AlloyDB service agent identity:

    gcloud beta services identity create --service=alloydb.googleapis.com --project=cc-web-project-112233

  9. The command output will return the service agent email address:

    Service identity created: service-123456789012@gcp-sa-alloydb.iam.gserviceaccount.com

  10. Run the following command to grant the service agent the Cloud KMS CryptoKey Encrypter/Decrypter role on your encryption key:

    gcloud kms keys add-iam-policy-binding cc-alloydb-cmek-key --location us-central1 --keyring cc-alloydb-keyring --project=cc-web-project-112233 --member serviceAccount:service-123456789012@gcp-sa-alloydb.iam.gserviceaccount.com --role roles/cloudkms.cryptoKeyEncrypterDecrypter

  11. Step 3: Create a New AlloyDB Cluster with CMEK

    Navigate to AlloyDB for PostgreSQL console available at https://console.cloud.google.com/alloydb.

  12. Click Create cluster to begin creating a new AlloyDB cluster.

  13. On the Create an AlloyDB cluster page, provide the following information:

    1. For Cluster ID, provide a unique identifier for the new cluster (e.g., cc-prod-alloydb-cluster-cmek).
    2. For Password, set the password for the default postgres user.
    3. For Network, select the VPC network for your cluster in the Connectivity section.
    4. For Region, select the same region where you created the Cloud KMS encryption key.

  14. Expand the Advanced encryption options section and perform the following:

    1. Select Customer-managed encryption key (CMEK).
    2. Click Browse to select the Cloud KMS encryption key you created earlier, or manually enter the key resource name in the format: projects/PROJECT_ID/locations/REGION/keyRings/KEY_RING/cryptoKeys/KEY_NAME.

  15. Configure other cluster settings (instance configuration, machine type, storage, etc.) to match your requirements.

  16. Click Create cluster to create the new AlloyDB cluster with CMEK encryption enabled.

  17. Wait for the cluster creation to complete. The cluster state will change to Ready when it's available.

  18. Step 4: Migrate Data and Remove Old Cluster

    Migrate your data from the old AlloyDB cluster (encrypted with Google-managed keys) to the new cluster (encrypted with CMEK) using database backup and restore, logical replication, or database migration tools.

  19. After verifying that all data has been successfully migrated and the new cluster is functioning correctly, you can delete the old cluster that uses Google-managed encryption.

  20. Repeat steps no. 3 – 19 for other AlloyDB clusters that are encrypted with Google-managed keys.

  21. Repeat steps no. 2 – 20 for each project available within your Google Cloud account.

Using GCP CLI

  1. Step 1: Create a Cloud KMS Encryption Key

    Run kms keyrings create command (Windows/macOS/Linux) to create a new key ring in the same region as your AlloyDB cluster (see Audit section part II to identify the cluster region):

    gcloud kms keyrings create cc-alloydb-keyring
	--location us-central1
	--project cc-web-project-112233

  2. Run kms keys create command (Windows/macOS/Linux) to create a new symmetric encryption key in the key ring:

    gcloud kms keys create cc-alloydb-cmek-key
	--keyring cc-alloydb-keyring
	--location us-central1
	--purpose encryption
	--protection-level software
	--project cc-web-project-112233

  3. Step 2: Grant AlloyDB Service Agent Permissions

    Run beta services identity create command (Windows/macOS/Linux) to create the AlloyDB service agent identity:

    gcloud beta services identity create
	--service=alloydb.googleapis.com
	--project=cc-web-project-112233

  4. The command output should return the service agent email address:

    Service identity created: service-123456789012@gcp-sa-alloydb.iam.gserviceaccount.com

  5. Run kms keys add-iam-policy-binding command (Windows/macOS/Linux) to grant the AlloyDB service agent the Cloud KMS CryptoKey Encrypter/Decrypter role:

    gcloud kms keys add-iam-policy-binding cc-alloydb-cmek-key
	--location us-central1
	--keyring cc-alloydb-keyring
	--project=cc-web-project-112233
	--member serviceAccount:service-123456789012@gcp-sa-alloydb.iam.gserviceaccount.com
	--role roles/cloudkms.cryptoKeyEncrypterDecrypter

  6. The command output should confirm the IAM policy binding:

    Updated IAM policy for key [cc-alloydb-cmek-key].
	bindings:
	- members:
	- serviceAccount:service-123456789012@gcp-sa-alloydb.iam.gserviceaccount.com
	role: roles/cloudkms.cryptoKeyEncrypterDecrypter

  7. Step 3: Create a New AlloyDB Cluster with CMEK

    Run alloydb clusters create command (Windows/macOS/Linux) to create a new AlloyDB cluster with CMEK encryption enabled:

    gcloud alloydb clusters create cc-prod-alloydb-cluster-cmek
	--region us-central1
	--network=projects/cc-web-project-112233/global/networks/default
	--password=YOUR_POSTGRES_PASSWORD
	--kms-key=projects/cc-web-project-112233/locations/us-central1/keyRings/cc-alloydb-keyring/cryptoKeys/cc-alloydb-cmek-key
	--project cc-web-project-112233

  8. The command output should confirm the cluster creation operation:

    Create request issued for: [cc-prod-alloydb-cluster-cmek]
Waiting for operation [projects/cc-web-project-112233/locations/us-central1/operations/operation-1234567890] to complete...done.
Created cluster [cc-prod-alloydb-cluster-cmek].

  9. Run alloydb clusters describe command (Windows/macOS/Linux) to verify that CMEK is enabled for the new cluster:

    gcloud alloydb clusters describe cc-prod-alloydb-cluster-cmek
	--region us-central1
	--project cc-web-project-112233
	--format="json(encryptionInfo)"

  10. The command output should confirm that CMEK is enabled:

    {
	"encryptionInfo": {
		"encryptionType": "CUSTOMER_MANAGED_ENCRYPTION",
		"kmsKeyVersionName": "projects/cc-web-project-112233/locations/us-central1/keyRings/cc-alloydb-keyring/cryptoKeys/cc-alloydb-cmek-key/cryptoKeyVersions/1"
	}
}

  11. Step 4: Create Primary Instance and Migrate Data

    Create a primary instance for the new cluster and configure it according to your requirements.

    gcloud alloydb instances create cc-prod-alloydb-instance-1
	--cluster=cc-prod-alloydb-cluster-cmek
	--region us-central1
	--instance-type=PRIMARY
	--cpu-count=2
	--project cc-web-project-112233

  12. Migrate your data from the old AlloyDB cluster to the new cluster with CMEK using database backup and restore, logical replication, or database migration tools.

  13. After verifying the data migration, delete the old cluster that uses Google-managed encryption.

  14. Repeat steps no. 1 – 13 for other AlloyDB clusters that are encrypted with Google-managed keys.

  15. Repeat steps no. 1 – 14 for each project available within your Google Cloud account.

References

Publication date Jan 14, 2026

Related AlloyDB rules