Enable CMEK for Security Command Center

By default, Security Command Center encrypts customer content at rest. Security Command Center handles encryption for you without any additional actions on your part. This option is called Google default encryption.

If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) in Cloud KMS with CMEK-integrated services including Security Command Center. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also lets you track key usage, view audit logs, and control key lifecycles. Instead of Google owning and managing the symmetric key encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.

After you set up your resources with CMEKs, the experience of accessing your Security Command Center resources is similar to using Google default encryption. For more information about your encryption options, see Customer-managed encryption keys (CMEK).

To support separation of duties and greater control over access to keys, we recommend that you create and manage keys in a separate project that doesn't include other Google Cloud resources.

To use CMEK with Security Command Center, you must configure CMEK when you activate Security Command Center for an organization. You can't configure CMEK during project-level activation. To learn more, see Activate Security Command Center Standard or Premium for an organization.

When you use CMEK in Security Command Center, your projects can consume Cloud KMS cryptographic requests quotas. CMEK-encrypted instances consume quotas when reading or writing data in Security Command Center. Encryption and decryption operations using CMEK keys affect Cloud KMS quotas only if you use hardware (Cloud HSM) or external (Cloud EKM) keys. For more information, see Cloud KMS quotas.

CMEK encrypts the following data in Security Command Center and the Security Command Center API:

  • Findings
  • Notification configurations
  • BigQuery exports
  • Mute configs

Before you begin

Before you set up CMEK for Security Command Center, do the following:

  1. Install and initialize the Google Cloud CLI:

    1. Install the Google Cloud CLI.

    2. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

    3. To initialize the gcloud CLI, run the following command: 

      gcloud init

  2. Create a Google Cloud project with Cloud KMS enabled. This is your key project.

  3. Create a key ring that is in the correct location. Your key ring location must correspond with the location where you plan to activate Security Command Center. To see which key ring locations correspond to each location Security Command Center, see the table in the Key location section of this document. For more information about how to create a key ring, see Create a key ring.

  4. Create a Cloud KMS key on the key ring. For more information about how to create a key on a key ring, see Create a key.

  5. To ensure that the Cloud Security Command Center Service Account has the necessary permissions to encrypt and decrypt data, ask your administrator to grant the Cloud Security Command Center Service Account the Cloud KMS CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter) IAM role on the Cloud KMS key.

    For more information about granting roles, see Manage access to projects, folders, and organizations.

    Your administrator might also be able to give the Cloud Security Command Center Service Account the required permissions through custom roles or other predefined roles.

Key location

The location of your Cloud KMS key must correspond to the location where you activated Security Command Center. Use the following table to identify which Cloud KMS key location corresponds to which Security Command Center location.

Security Command Center location Cloud KMS key location
eu europe
global us
sa me-central2
us us

If you don't enable data residency when you activate Security Command Center, then use global for your Security Command Center location and us for your Cloud KMS key location. For more information about data residency, see Planning for data residency.

Limitations

If the organization you are activating contains one or more projects with Security Command Center, then you can't use CMEK for Security Command Center for that organization.

You can't change the Cloud KMS key or switch to Google-owned and Google-managed encryption key after activating Security Command Center.

You can rotate the key, which causes Security Command Center to use the new key version. However, some Security Command Center capabilities continue to use the old key for 30 days.

Set up CMEK for Security Command Center

To use CMEK with Security Command Center:

  1. During Security Command Center setup for an organization, on the Select services page, under Data encryption, select Change data encryption key management solution (optional). The Encryption option opens.
  2. Select Cloud KMS key.
  3. Select a project.
  4. Select a key. You can select a key from any Google Cloud project, including those not in the organization you are activating. Only keys in compatible locations display in the list. For more information about key locations for CMEK for Security Command Center, see the table in the Key location section.

After granting the role and completing Security Command Center setup, Security Command Center encrypts your data using your chosen Cloud KMS key.

Check CMEK configuration

To check that you successfully set up CMEK for Security Command Center:

  1. In Security Command Center, select Settings.
  2. Go to the Tier Detail tab.
  3. In Setup details > Data encryption, if CMEK for Security Command Center is set up, the key name displays as a link after Data encryption.

Pricing

Although there is no additional charge to enable CMEK in Security Command Center Standard and Premium, charges apply in Cloud KMS when Security Command Center uses your CMEK to encrypt and decrypt data. For more information, see Cloud KMS pricing.

Restore access to Security Command Center

With CMEK enabled, the Security Command Center service account requires access to your Cloud KMS key to function. Don't revoke the service account's permissions to the CMEK, disable the CMEK, or schedule the CMEK for destruction. These actions all cause the following Security Command Center capabilities to stop working:

  • Findings
  • Continuous exports configurations
  • BigQuery exports
  • Mute rules

If you try to use Security Command Center while the Cloud KMS key is unavailable, you will see an error message in Security Command Center or a FAILED_PRECONDITION error in the API.

You can lose Security Command Center capabilities due to a Cloud KMS key for one of the following reasons:

Restore access to Security Command Center after a key is revoked

To restore access to your key in Security Command Center grant the Cloud Security Command Center Service Account the Cloud KMS CryptoKey Encrypter/Decrypter role on the key:

gcloud kms keys add-iam-policy-binding KEY_NAME \
    --keyring KEY_RING \
    --location LOCATION \
    --member=serviceAccount:service-org-ORG_NUMBER@security-center-api.iam.gserviceaccount.com \
    --role=roles/cloudkms.cryptoKeyEncrypterDecrypter

Replace the following:

  • KEY_RING: the key ring for your Cloud KMS key
  • LOCATION: the location of your Cloud KMS key
  • KEY_NAME: the name of your Cloud KMS key
  • ORG_NUMBER: your organization number

Restore access to Security Command Center after a key is disabled

For more information about how to enable a disabled key, see Enable a key version.

Restore access to Security Command Center after a key is scheduled for destruction

For more information about how to restore a key that is scheduled for destruction, see Destroy and restore key versions.

After a key has been destroyed, you can't recover it and you can't restore access to Security Command Center.