Ensure that Google Cloud Logs Router data is encrypted with Customer-Managed Keys (CMKs) in order to have full control over your data encryption and decryption process and help meet compliance requirements. You can create and manage your own Customer-Managed Keys (CMKs) with Cloud Key Management Service (Cloud KMS). Cloud KMS provides secure and efficient encryption key management, controlled key rotation, and revocation mechanisms.
By default, the Google Cloud Logging service encrypts Logs Router data using Google-managed encryption keys. The cloud service manages this type of encryption without any additional actions from you and your application. However, if you want to fully control and manage logging data encryption yourself, you can use your own Customer-Managed Keys (CMKs). Also, if you need to achieve compliance or regulatory requirements, it is strongly recommended to encrypt your Google Cloud Logs Router data using customer-managed keys (CMKs).
Note: CMKs can be enabled for Logs Router data only at the GCP organization level. Once configured, it applies to all projects and folders within your Google Cloud organization.
To determine if your Google Cloud Logs Router data is encrypted with Customer-Managed Keys (CMKs), perform the following operations:Note: Verifying encryption configuration for your Google Cloud Logs Router using Google Cloud Platform (GCP) Console is not currently supported.
Remediation / Resolution
To enable encryption with Cloud KMS Customer-Managed Keys (CMKs) for your Logs Router data at the GCP organization level, perform the following operations:Note: Enabling KMS CMK-based encryption for your Google Cloud Logs Router using Google Cloud Platform (GCP) Console is not currently supported.
- Google Cloud Platform (GCP) Documentation
- Cloud Key Management
- Creating symmetric keys
- Cloud KMS resources
- ENCRYPTION AT REST
- Logs Router overview
- Enabling customer-managed encryption keys for Logs Router
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Enable Logs Router Encryption with Customer-Managed Keys
Risk level: High