Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Use Customer-Managed Encryption Keys for Document AI Processors

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: DocumentAI-005

Ensure that the data managed by Google Cloud Document AI processors is encrypted with a Customer-Managed Encryption Key (CMEK) instead of a Google-managed encryption key. When you enable encryption at rest with CMEK for an Document AI processor in your Google Cloud Platform (GCP) project, all documents managed by the AI processor are fully encrypted with the CMEK. Customer-Managed Encryption Keys provide greater control over the encryption and decryption process, helping you meet stringent compliance requirements.

Security

By default, Google Cloud Platform (GCP) encrypts all data using Google-managed encryption keys. This type of encryption is handled by GCP without any additional effort from you or your application. However, if you prefer to have full control over data encryption, you can use your own Customer-Managed Encryption Key (CMEK). To create and manage your own CMEKs, utilize Cloud Key Management Service (Cloud KMS). Cloud KMS offers secure and efficient encryption key management, including controlled key rotation and revocation mechanisms.

Audit

To determine if your Google Cloud Document AI processors are protected with Customer-Managed Encryption Keys (CMEKs), perform the following operations:

Checking Document AI processors for encryption with Customer-Managed Encryption Key (CMEK) using GCP Command Line Interface (CLI) is not currently supported.

Using GCP Console

  1. Sign in to the Google Cloud Management Console.

  2. Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

  3. Navigate to Document AI console available at https://console.cloud.google.com/ai/document-ai/.

  4. In the left navigation panel, under Processors, choose My Processors to access the list of Document AI processors available for the selected GCP project.

  5. Click on the name (link) of the Document AI processor that you want to examine, listed in the Name column.

  6. Choose the Overview tab to access the processor configuration information.

  7. In the Basic information section, check the Encryption Type attribute value to determine the type of the encryption key used by the selected resource. If the Encryption Type attribute value is set to Google-managed, the data managed by the selected Document AI processor is not encrypted using a Cloud KMS Customer-Managed Encryption Key (CMEK).

  8. Repeat step no. 5 - 7 for each Document AI processor available within the selected GCP project.

  9. Repeat steps no. 2 - 8 for each GCP project deployed within your Google Cloud account.

Remediation / Resolution

Encryption with Customer-Managed Encryption Keys (CMEKs) is only available during processor creation. To enable encryption with CMEK for your new Google Cloud Document AI processors, perform the following operations:

Using GCP Console

  1. Sign in to the Google Cloud Management Console.

  2. Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

  3. To create and configure your new Customer-Managed Encryption Key (CMEK), perform the following actions:

    1. Navigate to Key management console available at https://console.cloud.google.com/security/kms.
    2. Before you can set up and configure your Customer-Managed Encryption Key (CMEK), you must create a key ring. A Cloud KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific location. To get started, choose CREATE KEY RING to set up the required key ring.
    3. A key ring requires a name and a location. On the Create key ring setup page, provide a unique name in the Key ring name box, select the key location type from the Location type list, then choose the appropriate key location from the Region/Multi-region dropdown list. The location can be either multi-region or associated with a particular region. If the CMEKs created later within this key ring will be used to encrypt/decrypt data in a particular region, select that region as the key ring location. Choose CREATE to deploy the new key ring.
    4. On the Create key setup page, provide the following information:
      1. For Name and protection level, provide a unique name for your new KMS key in the Key name box and choose the protection level that you want to use from the Protection Level dropdown list. Choose CONTINUE to continue the setup process.
      2. For Key material, choose Generated key to generate the key material for you (recommended). Choose CONTINUE.
      3. For Purpose and algorithm, choose Symmetric encrypt/decrypt to define the types of operations that your cryptographic key can perform. Choose CONTINUE to continue the setup.
      4. For Versions, configure the key rotation period as necessary. Choose CONTINUE.
      5. For Additional settings (optional), set the duration for the scheduled for destruction (i.e., soft deleted) state before the key is removed from the system. Choose ADD LABEL and use the Key and Value text fields to create labels in order to organize the identity of the new key.
      6. Choose CREATE to deploy your new Cloud KMS Customer-Managed Encryption Key (CMEK).

  4. Navigate to Document AI console available at https://console.cloud.google.com/ai/document-ai/.

  5. In the left navigation panel, under Processors, select My Processors, choose CREATE CUSTOM PROCESSOR, and perform the following operations to create a new custom AI processor:

    1. Select the Document AI processor type that best fits your requirements and choose CREATE PROCESSOR.
    2. For Processor name, provide a unique name for your custom AI processor.
    3. For Region, choose the region where your processor and its dataset will be stored.
    4. Choose ADVANCED OPTIONS, and perform the following actions:
      1. For Storage location, select the appropriate storage location for the processor dataset.
      2. For Encryption, choose Cloud KMS key, select Cloud KMS for Key management type, and choose the name of your new Customer-Managed Encryption Key (CMEK) from the Select a Cloud KMS key dropdown list. Inside the \ service account does not have the "cloudkms.cryptoKeyEncrypterDecrypter" role. Verify the service account has permission to encrypt/decrypt with the selected key box, choose GRANT to grant the associated service account access to your key using the Cloud KMS CryptoKey Encrypter/Decrypter role.
    5. Choose CREATE to create your new CMEK-encrypted Document AI processor.

  6. To deploy a CMEK-encrypted processor from the Document AI processor gallery, choose Processor gallery from the left navigation panel, select the processor model that you want to use and follow the setup steps, as outlined in step no. 5, to create your new CMEK-encrypted Document AI processor.

  7. Repeat steps no. 5 and 6 for each Document AI processor that you want to deploy for the selected GCP project.

  8. Repeat steps no. 2 – 7 for each GCP project available in your Google Cloud account.

References

Publication date Jul 28, 2025

Related DocumentAI rules