Google CloudOverview
Google Cloud encrypts data at rest by default. For regulated serverless workloads, customer-managed encryption keys provide stronger key ownership, policy control, and audit separation for function source, build, and runtime artifacts.
This control is disabled by default because CMEK is not required for every function. Enable it for regulated or high-sensitivity projects.
Remediation guidance
Remediation
Redeploy the function with an approved Cloud KMS key and make sure the required service agents can use the key.
gcloud CLI
gcloud functions deploy {{asset.name}} \
--region {{asset.region}} \
--kms-key {{manual.kmsKeyName}}
Validate the key configuration:
gcloud functions describe {{asset.name}} \
--region {{asset.region}} \
--format='value(kmsKeyName)'
References
- https://cloud.google.com/functions/docs/securing/cmek
- https://cloud.google.com/kms/docs/customer-managed-encryption
Query logic
These are the stored checks tied to this control.
Google Cloud Functions without customer-managed encryption keys
Connectors
Google Cloud
Covered asset types
Function
Expected check: eq []
{
functions(
where: {
cloudProvider: { eq: "gcp" }
OR: [
{ kmsKeyName: null }
{ kmsKeyName: { eq: "" } }
]
}
) {
...AssetFragment
}
}
