Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Use Customer-Managed Encryption Keys for Eventarc Pipeline Encryption

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that the data sent through an Eventarc pipeline (also known as Eventarc Advanced pipeline) is encrypted with a Customer-Managed Encryption Key (CMEK) instead of a Google-managed encryption key. When you enable encryption with CMEK for an Eventarc pipeline in your Google Cloud Platform (GCP) project, all messages that pass through the pipeline are fully encrypted with the CMEK. Customer-Managed Encryption Keys provide greater control over the encryption and decryption process, helping you meet stringent compliance requirements.

Security

By default, Google Cloud Platform (GCP) encrypts all data using Google-managed encryption keys. This type of encryption is handled by GCP without any additional effort from you or your application. However, if you prefer to have full control over data encryption, you can use your own Customer-Managed Encryption Key (CMEK). To create and manage your own CMEKs, utilize Cloud Key Management Service (Cloud KMS). Cloud KMS offers secure and efficient encryption key management, including controlled key rotation and revocation mechanisms.

Audit

To determine if your Google Cloud Eventarc pipelines are protected with Customer-Managed Encryption Keys (CMEKs), perform the following operations:

Using GCP Console

  1. Sign in to the Google Cloud Management Console.

  2. Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

  3. Navigate to Eventarc console available at https://console.cloud.google.com/eventarc/.

  4. In the left navigation panel, under Advanced, choose Pipelines to access the list of Google Cloud Eventarc pipelines available for the selected GCP project.

  5. Click on the name (link) of the Eventarc pipeline that you want to examine, listed in the Name column. A pipeline is a delivery resource between an Eventarc bus and a destination.

  6. In the Pipeline details section, check the Encryption attribute value to determine the type of the encryption key used by the selected resource. If the Encryption attribute value is Event messages encrypted using Google-managed encryption keys, the messages that pass through the selected Eventarc pipeline are not encrypted using a Cloud KMS Customer-Managed Encryption Key (CMEK).

  7. Repeat step no. 5 and 6 for each Eventarc pipeline available within the selected GCP project.

  8. Repeat steps no. 2 - 7 for each GCP project deployed within your Google Cloud account.

Using GCP CLI

  1. Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account:

    gcloud projects list
	--format="table(projectId)"

  2. The command output should return the requested GCP project IDs:

    PROJECT_ID
cc-web-project-123123
cc-ai-project-112233
cc-dev-project-112233

  3. Run eventarc pipelines list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to list the Eventarc message pipelines created for the selected project:

    gcloud beta eventarc pipelines list
	--project=cc-web-project-123123
	--format="default(name)"

  4. The command request should return the requested pipeline IDs (i.e., fully qualified identifiers):

    ---
name: projects/cc-web-project-123123/locations/us-central1/pipelines/cc-project5-eventarc-pipeline
---
name: projects/cc-web-project-123123/locations/us-central1/pipelines/cc-project5-staging-pipeline

  5. Run eventarc pipelines describe command (Windows/macOS/Linux) with the ID of the Eventarc message pipeline that you want to examine as the identifier parameter, to describe the full ID of the Customer-Managed Encryption Key (CMEK) used to encrypt the data managed by the selected pipeline:

    gcloud beta eventarc pipelines describe "projects/cc-web-project-123123/locations/us-central1/pipelines/cc-project5-eventarc-pipeline"
	--format="json(cryptoKeyName)"

  6. The command output should return the ID of the requested encryption key:

    null

    If the eventarc pipelines describe command output returns null, as shown in the example above, the event messages that pass through the selected Google Cloud Eventarc pipeline are not encrypted using a Cloud KMS Customer-Managed Encryption Key (CMEK).

  7. Repeat steps no. 3 – 6 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable encryption with Customer-Managed Encryption Keys (CMEKs) for your Eventarc message pipeline, perform the following operations:

Using GCP Console

  1. Sign in to the Google Cloud Management Console.

  2. Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

  3. To create and configure your new Customer-Managed Encryption Key (CMEK), perform the following actions:

    1. Navigate to Key management console available at https://console.cloud.google.com/security/kms.
    2. Before you can set up and configure your Customer-Managed Encryption Key (CMEK), you must create a key ring. A Cloud KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific location. To get started, choose CREATE KEY RING to set up the required key ring.
    3. A key ring requires a name and a location. On the Create key ring setup page, provide a unique name in the Key ring name box, select the key location type from the Location type list, then choose the appropriate key location from the Region/Multi-region dropdown list. The location can be either multi-region or associated with a particular region. If the CMEKs created later within this key ring will be used to encrypt/decrypt data in a particular region, select that region as the key ring location. Choose CREATE to deploy the new key ring.
    4. On the Create key setup page, provide the following information:
      1. For Name and protection level, provide a unique name for your new KMS key in the Key name box and choose the protection level that you want to use from the Protection Level dropdown list. Choose CONTINUE to continue the setup process.
      2. For Key material, choose Generated key to generate the key material for you (recommended). Choose CONTINUE.
      3. For Purpose and algorithm, choose Symmetric encrypt/decrypt to define the types of operations that your cryptographic key can perform. Choose CONTINUE to continue the setup.
      4. For Versions, configure the key rotation period as necessary. Choose CONTINUE.
      5. For Additional settings (optional), set the duration for the scheduled for destruction (i.e., soft deleted) state before the key is removed from the system. Choose ADD LABEL and use the Key and Value text fields to create labels in order to organize the identity of the new key.
      6. Choose CREATE to deploy your new Cloud KMS Customer-Managed Encryption Key (CMEK).

  4. Navigate to Eventarc console available at https://console.cloud.google.com/eventarc/.

  5. In the left navigation panel, under Advanced, choose Pipelines to access the list of Google Cloud Eventarc pipelines available for the selected GCP project.

  6. Click on the name (link) of the Eventarc pipeline that you want to configure, listed in the Name column. A pipeline is a delivery resource between an Eventarc bus and a destination.

  7. Chose EDIT from the top menu to modify the pipeline configuration settings.

  8. For Pipeline details, in the Encryption section, choose Cloud KMS key, select Cloud KMS for Key type, and choose the name of your new Customer-Managed Encryption Key (CMEK) from the Select a Cloud KMS key dropdown list. Inside the \ service account does not have the "cloudkms.cryptoKeyEncrypterDecrypter" role. Verify the service account has permission to encrypt/decrypt with the selected key box, choose GRANT to grant the associated service account access to your key using the Cloud KMS CryptoKey Encrypter/Decrypter role. Choose SAVE to apply the changes. This will enable CMEK-based encryption for your Google Cloud Eventarc pipeline.

  9. Repeat steps no. 2 – 7 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

  1. Before you can create your own Customer-Managed Encryption Key (CMEK), you have to provision a key ring. A Cloud KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific Google Cloud location. Run kms keyrings create command (Windows/macOS/Linux) to create a new Cloud KMS key ring in the specified location. If the keys deployed later within this key ring will be used to encrypt resources in a given region, select that region as the key ring location:

    gcloud kms keyrings create cc-project5-key-ring
	--location=us-central1
	--project=cc-web-project-123123
	--format="table(name)"

  2. The command output should return the resource name of the newly created key ring:

    NAME: projects/cc-web-project-123123/locations/us-central1/keyRings/cc-project5-key-ring

  3. Run kms keys create command (Windows/macOS/Linux) to create a new Customer-Managed Encryption Key (CMEK) within the Cloud KMS key ring created at the previous steps:

    gcloud kms keys create cc-eventarc-kms-key
	--location=us-central1
	--keyring=cc-project5-key-ring
	--purpose=encryption
	--protection-level=software
	--rotation-period=90d
	--next-rotation-time=2025-09-15T10:00:00.0000Z
	--format="table(name)"

  4. The command output should return the full resource name of the new Customer-Managed Encryption Key:

    NAME: projects/cc-web-project-123123/locations/us-central1/keyRings/cc-project5-key-ring/cryptoKeys/cc-eventarc-kms-key

  5. Run kms keys add-iam-policy-binding command (Windows/macOS/Linux) to add the required IAM policy binding to your CMEK. This assigns the Cloud KMS CryptoKey Encrypter/Decrypter role to the associated service account (i.e., the service account with the "eventarc.serviceAgentrole"). For example, service-\<project-number\>@gcp-sa-eventarc.iam.gserviceaccount.com):

    gcloud kms keys add-iam-policy-binding cc-eventarc-kms-key
	--keyring=cc-project5-key-ring
	--location=us-central1
	--member='serviceAccount:service-<project-number>@gcp-sa-eventarc.iam.gserviceaccount.com'
	--role=roles/cloudkms.cryptoKeyEncrypterDecrypter

  6. The command output should return the updated IAM policy (YAML format):

    Updated IAM policy for key [cc-eventarc-kms-key].
bindings:
- members:
	- serviceAccount:service-123456789012@gcp-sa-eventarc.iam.gserviceaccount.com
	role: roles/cloudkms.cryptoKeyEncrypterDecrypter
etag: ABCD1234ABCD
version: 1

  7. Run eventarc pipelines update command (Windows/macOS/Linux) to enable event message encryption with a Cloud KMS Customer-Managed Encryption Key (CMEK) for the selected Google Cloud Eventarc pipeline. For --crypto-key command parameter, specify the fully qualified identifier of the CMEK returned in step no 4:

    gcloud beta eventarc pipelines update "projects/cc-web-project-123123/locations/us-central1/pipelines/cc-project5-eventarc-pipeline"
	--location="us-central1"
	--crypto-key="projects/cc-web-project-123123/locations/us-central1/keyRings/cc-project5-key-ring/cryptoKeys/cc-eventarc-kms-key"

  8. The command output should return the update operation status:

    Updating pipeline [cc-project5-eventarc-pipeline] in project [cc-web-project-123123], location [us-central1]...done

  9. Repeat steps no. 1 – 8 for each GCP project deployed in your Google Cloud account.

References

Publication date Apr 11, 2025

Related Eventarc rules