Data protection

Dataproc cluster is not encrypted with customer-managed encryption key (CMEK)

Risk Level

Informational (4)

Platform(s)
Compliance Frameworks

Description

When you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated with the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. By default, this PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). You can have more control over the encryption key by using a customer-managed encryption key (CMEK), which allows you to create, use, and revoke the key-encryption key (KEK). It was detected that the Dataproc Cluster {GcpDataprocCluster} is not using customer-managed encryption keys (CMEK).
  • Recommended Mitigation

    It is recommended to use customer-managed encryption keys (CMEK) to provide an additional level of security for your data.