Ensure Cloud Bigtable uses CMEK for regulated data

Google Cloud Remediation

Service-wide fix (recommended): decide which Bigtable workloads require CMEK, standardize approved key locations, and enforce the pattern in project templates and provisioning pipelines.

When to use service-wide remediation

Use the service-wide path when regulated environments create Bigtable instances repeatedly across multiple projects.

Google Cloud console

For a new instance or cluster, select Customer-managed encryption key (CMEK) and choose an approved Cloud KMS key in the same region as the cluster.

Google Cloud CLI

Create a CMEK-protected instance:

gcloud bigtable instances create <instance-id> \
  --display-name="<display-name>" \
  --cluster-config=id=<cluster-id>,zone=<zone>,nodes=<nodes>,kms-key=projects/<kms-project>/locations/<kms-location>/keyRings/<keyring>/cryptoKeys/<key>

Validate the encryption settings:

gcloud bigtable instances describe <instance-id>

Operational notes

• You cannot usually retrofit CMEK onto an existing non-CMEK Bigtable deployment without moving data to a newly created CMEK-protected target.
• Plan a migration path before enforcing this broadly. Common approaches are creating a new CMEK-protected instance or cluster, synchronizing data, cutting application traffic over, and then retiring the old instance.
• The Bigtable service agent must have permission to use the selected KMS key.

References

• https://cloud.google.com/bigtable/docs/use-cmek
• https://docs.cloud.google.com/sdk/gcloud/reference/bigtable/instances/create
• https://docs.cloud.google.com/bigtable/docs/modifying-instance