Google CloudOverview
Customer-managed encryption keys (CMEK) provide stronger governance and key lifecycle control for regulated workloads.
Remediation guidance
Google Cloud Remediation
Service-Wide (Recommended)
Define organization policy and project standards requiring CMEK for regulated data stores.
Google Cloud Console (Asset-Level)
- Open Cloud Spanner instance creation/configuration workflow.
- Select Customer-managed encryption key.
- Choose approved KMS key ring/key.
Google Cloud CLI (Asset-Level)
gcloud spanner instances create <instance-name> --config=<config> --description="<description>" --nodes=<nodes> --kms-key=projects/<project>/locations/<location>/keyRings/<keyring>/cryptoKeys/<key>
References
- https://cloud.google.com/spanner/docs/customer-managed-encryption-keys
Query logic
These are the stored checks tied to this control.
Spanner instances without CMEK
Connectors
Google Cloud
Covered asset types
CloudSpanner
Expected check: eq []
{ cloudSpannerInstances(where: { OR: [ { kmsKeyName: "" }, { kmsKeyName: null } ] }) { ...AssetFragment } }
