Cyscale
Back to controls

Ensure Artifact Registry repositories use customer-managed encryption keys

### Overview

Category

Controls

Medium

Applies to

Google Cloud

Coverage

null controls, 1 queries

Asset types

1 covered

Overview

Overview

Artifact Registry supports customer-managed encryption keys (CMEK) through Cloud KMS. Using CMEK gives security teams stronger control over key rotation, separation of duties, and auditability for software supply-chain assets stored in the registry.

Remediation guidance

From Google Cloud Console

  1. Open the affected Artifact Registry repository.
  2. Edit the repository settings.
  3. Select a Cloud KMS key under customer-managed encryption.
  4. Save the repository configuration and validate the key policy allows the registry service to use it.

Using gcloud

gcloud artifacts repositories create <repository> --repository-format=docker --location=<location> --kms-key=<kms-key-resource-name>

For existing repositories, migrate or recreate them with CMEK where required by your policy baseline.

Query logic

These are the stored checks tied to this control.

Artifact Registry repositories without customer-managed encryption keys

Connectors

Google Cloud

Covered asset types

ArtifactRegistryRepository

Expected check: eq []

{ artifactRegistryRepositories(where: { OR: [ { kmsKeyName: "" }, { kmsKeyName: null } ] }) { ...AssetFragment } }
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon