Enable CMEK for Security Command Center

By default, Security Command Center encrypts customer content at rest. Security Command Center handles encryption for you without any additional actions on your part. This option is called Google default encryption.

If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) in Cloud KMS with CMEK-integrated services including Security Command Center. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also lets you track key usage, view audit logs, and control key lifecycles. Instead of Google owning and managing the symmetric key encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.

After you set up your resources with CMEKs, the experience of accessing your Security Command Center resources is similar to using Google default encryption. For more information about your encryption options, see Customer-managed encryption keys (CMEK).

To support separation of duties and greater control over access to keys, we recommend that you create and manage keys in a separate project that doesn't include other Google Cloud resources.

When you use CMEK in Security Command Center, your projects can consume Cloud KMS cryptographic requests quotas. CMEK-encrypted instances consume quotas when reading or writing data in Security Command Center. Encryption and decryption operations using CMEK keys affect Cloud KMS quotas only if you use hardware (Cloud HSM) or external (Cloud EKM) keys. For more information, see Cloud KMS quotas.

To use Security Command Center with CMEK, you must choose CMEK when you activate an Security Command Center organization. After you activate Security Command Center, you can no longer configure data encryption. You can't configure CMEK during project-level activation. To learn more, see Activate Security Command Center Standard or Premium for an organization.

You can use CMEK organization policies to enforce your chosen encryption settings when you activate Security Command Center. For information about using CMEK organization policies with Security Command Center, see Use CMEK organization policies.

CMEK encrypts the following data in Security Command Center and the Security Command Center API:

Findings
Notification configurations
BigQuery exports
Mute configs

Before you begin

Before you set up CMEK for Security Command Center, do the following:

Install and initialize the Google Cloud CLI:
1. Install the Google Cloud CLI.
2. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
3. To initialize the gcloud CLI, run the following command:
```
gcloud init
```
Create a Google Cloud project with Cloud KMS enabled. This is your key project.
Create a key ring that is in the correct location. Your key ring location must correspond with the location where you plan to activate Security Command Center. To see which key ring locations correspond to each Security Command Center location, see the table in the Key location section of this document. For more information about how to create a key ring, see Create a key ring.
Create a Cloud KMS key on the key ring. For more information about how to create a key on a key ring, see Create a key.
To ensure that the Cloud Security Command Center Service Account has the necessary permissions to encrypt and decrypt data, ask your administrator to grant the Cloud Security Command Center Service Account the Cloud KMS CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter) IAM role on the Cloud KMS key.
Important: You must grant this role to the Cloud Security Command Center Service Account, not to your user account. Failure to grant the role to the correct principal might result in permission errors.
For more information about granting roles, see Manage access to projects, folders, and organizations.

Your administrator might also be able to give the Cloud Security Command Center Service Account the required permissions through custom roles or other predefined roles.

Key location

Your Cloud KMS key location must correspond to the location where you activated Security Command Center. The following table shows the corresponding Cloud KMS key location for each Security Command Center location.

Security Command Center location	Cloud KMS key location
`eu`	`europe`
`global`	`us`
`sa`	`me-central2`
`us`	`us`

If you don't enable data residency when you activate Security Command Center, then use global for your Security Command Center location and us for your Cloud KMS key location. For more information about data residency, see Planning for data residency.

If you use the constraints/gcp.restrictNonCmekServices organization policy constraint with Security Command Center, CMEK is the only encryption option available to you..

Limitations

The following are limitations of using CMEK with Security Command Center:

If you already activated Security Command Center on an organization or a project in the organization you are activating, you can't use CMEK on Security Command Center for that organization.
You can't configure CMEK during project-level activation.
You can't change the Cloud KMS key or switch to Google-owned and Google-managed encryption key after activating Security Command Center.

Warning: If you disable, revoke access to, or destroy the CMEK after activation, Security Command Center stops working and you can lose your Security Command Center data. Destroying a key version is permanent and causes unrecoverable data loss.
You can rotate the key, which causes Security Command Center to use the new key version. However, some Security Command Center capabilities continue to use the old key for 30 days.

Use CMEK organization policies with Security Command Center

To enforce CMEK usage for Security Command Center, you can apply the following organization policies at the organization, folder, or project level:

constraints/gcp.restrictNonCmekServices, which requires you to use CMEK. If you set constraints/gcp.restrictNonCmekServices on an organization and you've listed Security Command Center as a restricted service required to use CMEK, you must use CMEK when you activate Security Command Center.
constraints/gcp.restrictCmekCryptoKeyProjects, which requires you to use a key from a specific project or set of projects when you use CMEK with Security Command Center. The constraints/gcp.restrictCmekCryptoKeyProjects organization policy, on its own, still lets you choose Google default encryption.

If you set both constraints/gcp.restrictNonCmekServices and constraints/gcp.restrictCmekCryptoKeyProjects on the organization where you activate Security Command Center, Security Command Center requires you to use CMEK and requires that the CMEK key is located in a specific project.

If you set constraints/gcp.restrictNonCmekServices on a project or folder, you must use CMEK on the organization where you activate Security Command Center and list Security Command Center as a restricted service or some Security Command Center features won't work correctly.

For information about how organization policies are evaluated across the Google Cloud resource hierarchy (organizations, folders, and projects), see Understanding hierarchy evaluation.

For general information about using CMEK organization policies, see CMEK organization policies.

Set up CMEK for Security Command Center

To use CMEK with Security Command Center:

During Security Command Center setup for an organization, on the Select services page, under Data encryption, select Change data encryption key management solution (optional). The Encryption option opens.
Select Cloud KMS key.
Select a project.
Select a key. You can select a key from any Google Cloud project, including those not in the organization you are activating. Only keys in compatible locations display in the list. For more information about key locations for CMEK for Security Command Center, see the table in the Key location section.

After granting the role and completing Security Command Center setup, Security Command Center encrypts your data using your chosen Cloud KMS key.

Check CMEK configuration

To check that you successfully set up CMEK for Security Command Center:

In Security Command Center, select Settings.
Go to the Tier Detail tab.
Navigate to Setup details > Data encryption to view the key name. If CMEK for Security Command Center is set up, the key name is displayed as a link after Data encryption.

Troubleshooting CMEK for Security Command Center

Although there is no additional charge to enable CMEK in Security Command Center Standard and Premium, charges apply in Cloud KMS when Security Command Center uses your CMEK to encrypt and decrypt data. For more information, see Cloud KMS pricing.

Restore access to Security Command Center

With CMEK enabled, the Security Command Center service account requires access to your Cloud KMS key to function. Don't revoke the service account permissions to the CMEK, disable the CMEK, or schedule the CMEK for destruction. These actions all cause the following Security Command Center capabilities to stop working:

Findings
Continuous exports configurations
BigQuery exports
Mute rules

If the Cloud KMS key is unavailable when you try to use Security Command Center, you will see an error message or a FAILED_PRECONDITION API error.

You can lose Security Command Center capabilities because a Cloud KMS key has one of the following issues:

The Cloud KMS CryptoKey Encrypter/Decrypter role on the key on the service account may have been revoked. You can restore access to Security Command Center after a key is revoked.
The Cloud KMS key may have been disabled. You can restore access to Security Command Center after a key is disabled.
The key might be scheduled for destruction. You can restore access to Security Command Center after a key is scheduled for destruction.

Restore access to Security Command Center after a key is revoked

To restore access to your key in Security Command Center, grant the Cloud Security Command Center Service Account the Cloud KMS CryptoKey Encrypter/Decrypter role on the key:

gcloud kms keys add-iam-policy-binding KEY_NAME \
    --keyring KEY_RING \
    --location LOCATION \
    --member=serviceAccount:service-org-ORG_NUMBER@security-center-api.iam.gserviceaccount.com \
    --role=roles/cloudkms.cryptoKeyEncrypterDecrypter

Replace the following:

KEY_RING: the key ring for your Cloud KMS key
LOCATION: the location of your Cloud KMS key
KEY_NAME: the name of your Cloud KMS key
ORG_NUMBER: your organization number

Restore access to Security Command Center after a key is disabled

For more information about how to enable a disabled key, see Enable a key version.

Restore access to Security Command Center after a key is scheduled for destruction

For more information about how to restore a key that is scheduled for destruction, see Destroy and restore key versions.

After a key has been destroyed, you can't recover it and you can't restore access to Security Command Center.

Errors creating protected resources

If you experience an error with creating new findings, notification configurations, mute configurations, or BigQuery exports, check whether a CMEK organization policy is set for your organization or any projects or folders in that organization.

If you choose Google-owned and Google-managed encryption keys when you activate an Security Command Center organization, and you set the constraints/gcp.restrictNonCmekServices CMEK organization policy on a project or folder in the organization and list Security Command Center as a restricted service, you can't create new protected resources in that project or folder. For more information, see Use CMEK organization policies with Security Command Center.

Pricing

Although there is no additional charge to enable CMEK in Security Command Center Standard or Premium, charges apply in Cloud KMS when Security Command Center uses your CMEK to encrypt or decrypt data. For more information, see Cloud KMS pricing.