Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Customer-Managed Encryption Keys (CMEK) for Cloud Spanner Backups

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Spanner-003

Ensure that your Google Cloud Platform (GCP) Cloud Spanner backups are encrypted using customer-managed encryption keys (CMEK) instead of the default Google-managed encryption keys. CMEK provides organizations with greater control over their backup encryption keys, enabling them to create, rotate, and manage encryption keys through Cloud Key Management Service (Cloud KMS). This ensures compliance with regulatory requirements and enhances data security by giving organizations full ownership and control over their backup encryption strategy.

Security

By using customer-managed encryption keys (CMEK) for Cloud Spanner backups, organizations gain complete control over their backup encryption keys and data protection strategy. CMEK enables you to manage key protection levels, locations, rotation schedules, usage permissions, and access controls through Cloud KMS, ensuring that encryption practices align with organizational security policies and compliance requirements. With CMEK, you can define who can access your backup data by controlling the permissions on your encryption keys, implement custom key rotation policies, and maintain a comprehensive audit trail of all key usage through Cloud Audit Logs. Additionally, CMEK provides the ability to render backup data inaccessible by disabling or destroying the encryption key, giving organizations an additional layer of control in data breach scenarios, regulatory investigations, or during secure decommissioning processes.

Important: If a Cloud KMS key is deleted, any Cloud Spanner backups encrypted with that key become permanently inaccessible and the backup data cannot be recovered or restored. If a Cloud KMS key is disabled, Cloud Spanner will be unable to restore the database from that backup. When restoring a CMEK-enabled backup, both the key and key version that was used to encrypt the backup must be available. After backup creation, the encryption key and key version cannot be modified, even if the KMS key is rotated. It is strongly recommended to maintain proper key lifecycle management and access controls to prevent accidental key deletion or disablement that would render backups unrestorable.

Audit

To determine if your Cloud Spanner backups are encrypted with customer-managed encryption keys (CMEK), perform the following operations:

Using GCP Console

  1. Sign in to Google Cloud Management Console.

  2. Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

  3. Navigate to Spanner console available at https://console.cloud.google.com/spanner.

  4. In the Instances page, click on the name of the Cloud Spanner instance that you want to examine.

  5. On the instance details page, click on the name of the database whose backups you want to audit.

  6. In the database details page, click on Backup/Restore in the left navigation pane.

  7. In the Backups tab, review the list of backups for the selected database.

  8. Click on a backup name to view its details.

  9. On the backup details page, in the Configuration section, check the Encryption type field.

  10. If the Encryption type field is missing or displays Google-managed, the selected Cloud Spanner backup is using Google-managed encryption keys instead of customer-managed encryption keys (CMEK), therefore the backup configuration is not compliant.

  11. If the Encryption type field displays Customer-managed with a Cloud KMS key resource name, the backup is properly encrypted with CMEK.

  12. Repeat steps no. 8 – 11 for each backup in the selected database.

  13. Repeat steps no. 5 – 12 for each database in the selected instance.

  14. Repeat steps no. 4 – 13 for each Cloud Spanner instance in the selected project.

  15. Repeat steps no. 2 – 14 for each project available within your Google Cloud account.

Using GCP CLI

  1. Run projects list command (Windows/macOS/Linux) to list all the project IDs available in your Google Cloud account:

    gcloud projects list
	--format="table(projectId)"

  2. The command output should return the requested GCP project identifiers:

    PROJECT_ID
cc-spanner-project-112233
cc-database-project-445566

  3. Run spanner instances list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter to list all Cloud Spanner instances in the selected project:

    gcloud spanner instances list
	--project cc-spanner-project-112233
	--format="table(name)"

  4. The command output should return the Cloud Spanner instance names:

    NAME
cc-production-instance
cc-development-instance

  5. Run spanner databases list command (Windows/macOS/Linux) using the instance name to list all databases in the selected instance:

    gcloud spanner databases list
	--instance cc-production-instance
	--project cc-spanner-project-112233
	--format="table(name)"

  6. The command output should return the database names:

    NAME
cc-prod-database
cc-analytics-database

  7. Run spanner backups list command (Windows/macOS/Linux) using the instance name to list all backups in the selected instance:

    gcloud spanner backups list
	--instance cc-production-instance
	--project cc-spanner-project-112233
	--format="table(name,database)"

  8. The command output should return the backup names and their source databases:

    NAME                          DATABASE
cc-prod-backup-20260115       cc-prod-database
cc-analytics-backup-20260110  cc-analytics-database

  9. Run spanner backups describe command (Windows/macOS/Linux) using the name of the backup that you want to examine:

    gcloud spanner backups describe cc-prod-backup-20260115
	--instance cc-production-instance
	--project cc-spanner-project-112233
	--format=json

  10. The command output should return the backup configuration metadata as JSON:

    {
	"createTime": "2026-01-15T00:33:34.392873Z",
	"database": "projects/cc-spanner-project-112233/instances/cc-production-instance/databases/cc-prod-database",
	"encryptionInfo": {
		"encryptionType": "GOOGLE_DEFAULT_ENCRYPTION"
	},
	......
	"expireTime": "2026-02-14T00:33:34.392873Z",
	"name": "projects/cc-spanner-project-112233/instances/cc-production-instance/backups/cc-prod-backup-20260115",
	"sizeBytes": "1234567890",
	"state": "READY",
	"versionTime": "2026-01-18T11:41:30.374265Z"
}

  11. Check the encryptionInfo.encryptionType attribute value in the command output. If encryptionInfo.encryptionType shows GOOGLE_DEFAULT_ENCRYPTION, as shown in the output example above, the selected Cloud Spanner backup is encrypted with Google-managed encryption keys instead of customer-managed encryption keys (CMEK), therefore the backup configuration is not compliant. If the encryptionInfo.encryptionType attribute shows CUSTOMER_MANAGED_ENCRYPTION and contains a Cloud KMS key resource name encryptionInfo.kmsKeyVersion (e.g., projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME/cryptoKeyVersions/1), the backup is using CMEK.

  12. Repeat steps no. 9 – 11 to verify the encryption configuration for other Cloud Spanner backups in the selected instance.

  13. Repeat steps no. 7 – 12 for each Cloud Spanner instance in the selected project.

  14. Repeat steps no. 3 – 13 for each project available within your Google Cloud account.

Remediation / Resolution

To enable customer-managed encryption keys (CMEK) for your Google Cloud Spanner backups, you must create new backups with CMEK configured or modify your backup schedules to use CMEK. Before creating CMEK-encrypted backups, you must ensure that a Cloud KMS encryption key exists in the same location as your Spanner instance and that the Cloud Spanner service agent has the necessary permissions to use the key. Note that you cannot modify the encryption configuration of an existing backup after it has been created. Perform the following operations:

Important: Cloud Spanner does not support modifying the encryption type of an existing backup from Google-managed keys to customer-managed encryption keys (CMEK). You must create new backups with CMEK enabled. The Cloud KMS encryption key must be created in the same location as your Cloud Spanner instance. For multi-region or dual-region instances, you must use regional Cloud KMS keys that correspond to the regions in your instance configuration. Deleting or disabling the CMEK key will make your Cloud Spanner backups unrestorable. Incremental backups do not support CMEK and can only be encrypted using Google-managed encryption keys, even if the source database is encrypted with CMEK.

Using GCP Console

  1. Step 1:Verify or Create Cloud KMS Encryption Key(s)

    Sign in to Google Cloud Management Console.

  2. Select the Google Cloud Platform (GCP) project that contains the Cloud Spanner database for which you want to create CMEK-encrypted backups from the console top navigation bar.

  3. Navigate to Spanner console available at https://console.cloud.google.com/spanner and identify the instance configuration (regional, multi-region, or dual-region) and location(s) of your Cloud Spanner instance to determine the required Cloud KMS key location(s).

  4. Navigate to Key Management console available at https://console.cloud.google.com/security/kms.

  5. If you don't have an existing key ring in the same location as your Cloud Spanner instance, click Create key ring and perform the following:

    1. For Key ring name, provide a unique name for the key ring (e.g., cc-spanner-keyring).
    2. For Location type, select Region (regional Cloud KMS keys are required for Cloud Spanner, even for multi-region instances).
    3. For Region, select a region that matches one of the regions in your Cloud Spanner instance configuration (e.g., us-central1).
    4. Click Create to create the key ring.

  6. If your Cloud Spanner instance uses a multi-region or dual-region configuration, repeat step no. 5 to create additional key rings in each region required by your instance configuration.

  7. Select the key ring you created in the first region.

  8. Click Create key and perform the following operations:

    1. For Key name, provide a unique name for the encryption key (e.g., cc-spanner-backup-cmek-key-us-central1).
    2. For Protection level, select Software, HSM, or External based on your security requirements.
    3. For Key material, ensure Generated is selected.
    4. For Purpose, select Symmetric encrypt/decrypt.
    5. (Optional) Configure Rotation period to automatically rotate the key at specified intervals.
    6. Click Create to create the encryption key.

  9. If you created multiple key rings for a multi-region or dual-region instance, repeat steps no. 7 – 8 for each key ring to create a Cloud KMS key in each required region.

  10. Step 2: Grant Cloud Spanner Service Agent Permissions

    In the Google Cloud Console, click on Activate Cloud Shell icon in the top-right corner to open Cloud Shell.

  11. Run the following command to create or display the Cloud Spanner service agent identity:

    gcloud beta services identity create --service=spanner.googleapis.com --project=cc-spanner-project-112233

  12. The command output will return the service agent email address:

    Service identity created: service-123456789012@gcp-sa-spanner.iam.gserviceaccount.com

  13. Run the following command to grant the service agent the Cloud KMS CryptoKey Encrypter/Decrypter role on your first encryption key:

    gcloud kms keys add-iam-policy-binding cc-spanner-backup-cmek-key-us-central1 --location us-central1 --keyring cc-spanner-keyring --project=cc-spanner-project-112233 --member serviceAccount:service-123456789012@gcp-sa-spanner.iam.gserviceaccount.com --role roles/cloudkms.cryptoKeyEncrypterDecrypter

  14. The command output will confirm the IAM policy binding:

    Updated IAM policy for key [cc-spanner-backup-cmek-key-us-central1].
	bindings:
	- members:
		- serviceAccount:service-123456789012@gcp-sa-spanner.iam.gserviceaccount.com
		role: roles/cloudkms.cryptoKeyEncrypterDecrypter

  15. If you created multiple Cloud KMS keys for a multi-region or dual-region instance, repeat step no. 4 for each key to grant the service agent permissions on all keys.

  16. Step 3: Create Cloud Spanner Backup with CMEK

    Navigate to Spanner console available at https://console.cloud.google.com/spanner.

  17. Click on the name of the Cloud Spanner instance containing the database you want to back up.

  18. On the instance details page, click on the name of the database you want to back up.

  19. In the database details page, click on Backup/Restore in the left navigation pane.

  20. Click Create backup to begin creating a new backup.

  21. On the Create a backup page, provide the following information:

    1. For Backup Name, provide a unique identifier for the new backup (e.g., cc-prod-backup-cmek-20260115).
    2. For Expiration date, set the date when the backup should expire and be automatically deleted.

  22. In the Encryption section and perform the following:

    1. Select Cloud KMS key.
    2. If your instance is a regional instance, click the Select a key dropdown and choose the Cloud KMS encryption key you created earlier.
    3. If your instance is a multi-region or dual-region instance, you will see input fields for multiple keys. For each region, select or enter the appropriate Cloud KMS key resource name in the format: projects/PROJECT_ID/locations/REGION/keyRings/KEY_RING/cryptoKeys/KEY_NAME.

  23. Click Create to create the new Cloud Spanner backup with CMEK encryption enabled.

  24. Wait for the backup creation to complete. The backup state will change to Ready when it's available.

  25. Repeat steps no. 2 – 9 for each database that requires CMEK-encrypted backups.

  26. Repeat steps no. 2 – 10 for each Cloud Spanner instance in the selected project.

  27. Repeat steps no. 2 – 11 for each project available within your Google Cloud account.

Using GCP CLI

  1. Step 1: Verify or Create Cloud KMS Encryption Key(s)

    Run spanner instances describe command (Windows/macOS/Linux) to identify the configuration and location(s) of your Cloud Spanner instance (see Audit section part II to identify the instance):

    gcloud spanner instances describe cc-production-instance
	--project cc-spanner-project-112233
	--format="value(config)"

  2. The command output should return the instance configuration name:

    projects/cc-spanner-project-112233/instanceConfigs/regional-us-central1

  3. Based on the instance configuration, determine the required Cloud KMS key region(s). For regional instances, use one key in the same region. For multi-region or dual-region instances, you need multiple regional keys.

  4. Run kms keyrings create command (Windows/macOS/Linux) to create a new key ring in the first required region (skip this step if you already have a key ring):

    gcloud kms keyrings create cc-spanner-keyring
	--location us-central1
	--project cc-spanner-project-112233

  5. Run kms keys create command (Windows/macOS/Linux) to create a new symmetric encryption key in the key ring (skip this step if you already have a CMEK key):

    gcloud kms keys create cc-spanner-backup-cmek-key-us-central1
	--keyring cc-spanner-keyring
	--location us-central1
	--purpose encryption
	--protection-level software
	--project cc-spanner-project-112233

  6. If your Cloud Spanner instance uses a multi-region or dual-region configuration, repeat steps no. 4 – 5 to create additional key rings and keys in each required region (e.g., us-east1, us-west1 for a multi-region instance).

  1. Step 2: Grant Cloud Spanner Service Agent Permissions

    Run beta services identity create command (Windows/macOS/Linux) to create or display the Cloud Spanner service agent identity:

    gcloud beta services identity create
	--service=spanner.googleapis.com
	--project=cc-spanner-project-112233

  2. The command output should return the service agent email address:

    Service identity created: service-123456789012@gcp-sa-spanner.iam.gserviceaccount.com

  3. Run kms keys add-iam-policy-binding command (Windows/macOS/Linux) to grant the Cloud Spanner service agent the Cloud KMS CryptoKey Encrypter/Decrypter role on the first key:

    gcloud kms keys add-iam-policy-binding cc-spanner-backup-cmek-key-us-central1
	--location us-central1
	--keyring cc-spanner-keyring
	--project=cc-spanner-project-112233
	--member serviceAccount:service-123456789012@gcp-sa-spanner.iam.gserviceaccount.com
	--role roles/cloudkms.cryptoKeyEncrypterDecrypter

  4. The command output should confirm the IAM policy binding:

    Updated IAM policy for key [cc-spanner-backup-cmek-key-us-central1].
	bindings:
	- members:
		- serviceAccount:service-123456789012@gcp-sa-spanner.iam.gserviceaccount.com
		role: roles/cloudkms.cryptoKeyEncrypterDecrypter

  5. If you created multiple Cloud KMS keys for a multi-region or dual-region instance, repeat step no. 3 for each key to grant permissions on all keys.

  1. Step 3: Create Cloud Spanner Backup with CMEK

    For a regional instance with a single Cloud KMS key, run spanner backups create command (Windows/macOS/Linux) to create a new backup with CMEK encryption enabled:

    gcloud spanner backups create cc-prod-backup-cmek-20260115
	--instance cc-production-instance
	--database cc-prod-database
	--retention-period 30d
	--encryption-type CUSTOMER_MANAGED_ENCRYPTION
	--kms-key projects/cc-spanner-project-112233/locations/us-central1/keyRings/cc-spanner-keyring/cryptoKeys/cc-spanner-backup-cmek-key-us-central1
	--project cc-spanner-project-112233
	--async

  2. For a multi-region or dual-region instance with multiple Cloud KMS keys, provide the appropriate regional key based on where the backup will be stored:

    gcloud spanner backups create cc-prod-backup-cmek-20260115
	--instance cc-multiregion-instance
	--database cc-prod-database
	--retention-period 30d
	--encryption-type CUSTOMER_MANAGED_ENCRYPTION
	--kms-key projects/cc-spanner-project-112233/locations/us-central1/keyRings/cc-spanner-keyring/cryptoKeys/cc-spanner-backup-cmek-key-us-central1
	--project cc-spanner-project-112233
	--async

  3. The command output should confirm the backup creation operation:

    Create request issued for: [cc-prod-backup-cmek-20260115]
Check operation [projects/cc-spanner-project-112233/instances/cc-production-instance/backups/cc-prod-backup-cmek-20260115/operations/_auto_op_234567] for status.

  4. Run spanner backups describe command (Windows/macOS/Linux) to verify that CMEK is enabled for the new backup:

    gcloud spanner backups describe cc-prod-backup-cmek-20260115
	--instance cc-production-instance
	--project cc-spanner-project-112233
	--format="json(encryptionInfo)"

  5. The command output should confirm that CMEK is enabled:

    {
	"encryptionInfo": {
	"encryptionType": "CUSTOMER_MANAGED_ENCRYPTION",
		"kmsKeyVersion": "projects/cc-spanner-project-112233/locations/us-central1/keyRings/cc-spanner-keyring/cryptoKeys/cc-spanner-backup-cmek-key-us-central1/cryptoKeyVersions/1"
	}
}

  6. Repeat steps no. 1 – 5 for each database that requires CMEK-encrypted backups.

  7. Repeat steps no. 1 – 6 for each Cloud Spanner instance in the selected project.

  8. Repeat steps no. 1 – 7 for each project available within your Google Cloud account.

References

Publication date Jan 22, 2026

Related Spanner rules