Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Use Customer-Managed Encryption Keys for Cloud Tasks

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that all the Google Cloud tasks available within your GCP project are encrypted at rest with Customer-Managed Encryption Keys (CMEKs) instead of Google-managed encryption keys. CMEKs provide greater control over the encryption and decryption process, enabling you to meet stringent compliance requirements. In Google Cloud Tasks, Customer-Managed Encryption Keys (CMEKs) are enabled regionally, not per task. Enabling a CMEK for a region protects all new tasks created in that region. Existing tasks are not protected.

Security

By default, Google Cloud Tasks service encrypts all customer data at rest using Google-managed encryption keys. This type of encryption is handled by GCP without any additional effort from you or your application. However, if you prefer to have full control over data encryption, you can use your own Customer-Managed Encryption Key (CMEK). To create and manage your own CMEKs, utilize Cloud Key Management Service (Cloud KMS). Cloud KMS offers secure and efficient encryption key management, including controlled key rotation and revocation mechanisms.

Audit

To determine if your Google Cloud tasks are protected with Customer-Managed Encryption Keys (CMEKs), perform the following operations:

Getting the encryption configuration information for Cloud Tasks service using Google Cloud Management Console is not currently supported.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
cc-webapp-project-123123
cc-cloudai-project-112233

03 Run tasks cmek-config describe command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to get the Customer-Managed Encryption Key (CMEK) used for Google Cloud tasks encryption in the specified region: 

gcloud tasks cmek-config describe
	--project=cc-web-project-123123
	--location=us-central1
	--format="yaml(kmsKey)"

04 The command output should return the ID (i.e., fully qualified identifier) of the requested CMEK: 

null

If the tasks cmek-config describe command output returns null, as shown in the example above, the tasks managed with Google Cloud Tasks in the specified region are not encrypted at rest using a Cloud KMS Customer-Managed Encryption Key (CMEK).

05 Repeat steps no. 3 and 4 for each Google Cloud region with Cloud Tasks resources.

06 Repeat steps no. 3 – 5 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable encryption at rest with Customer-Managed Encryption Keys (CMEKs) for all your Google Cloud tasks, perform the following operations:

Enabling encryption at rest with CMEKs for Cloud Tasks resources using Google Cloud Management Console is not currently supported.

Using GCP CLI

01 Before you can create your own Customer-Managed Encryption Key (CMEK), you have to provision a key ring. A Cloud KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific Google Cloud location. Run kms keyrings create command (Windows/macOS/Linux) to create a new Cloud KMS key ring in the specified location. If the keys deployed later within this key ring will be used to encrypt resources in a given region, select that region as the key ring location: 

gcloud kms keyrings create cc-project5-key-ring
	--location=us-central1
	--project=cc-web-project-123123
	--format="table(name)"

02 The command output should return the resource name of the newly created key ring: 

NAME: projects/cc-web-project-123123/locations/us-central1/keyRings/cc-project5-key-ring

03 Run kms keys create command (Windows/macOS/Linux) to create a new Customer-Managed Encryption Key (CMEK) within the Cloud KMS key ring created at the previous steps: 

gcloud kms keys create cc-project5-kms-key
	--location=us-central1
	--keyring=cc-project5-key-ring
	--purpose=encryption
	--protection-level=software
	--rotation-period=90d
	--next-rotation-time=2025-06-15T10:00:00.0000Z
	--format="table(name)"

04 The command output should return the full resource name of the new Customer-Managed Encryption Key: 

NAME: projects/cc-web-project-123123/locations/us-central1/keyRings/cc-project5-key-ring/cryptoKeys/cc-project5-kms-key

05 Run kms keys add-iam-policy-binding command (Windows/macOS/Linux) to add the required IAM policy binding to your CMEK. This assigns the Cloud KMS CryptoKey Encrypter/Decrypter role to the associated service account (i.e., service-\<project-number\>@gcp-sa-cloudtasks.iam.gserviceaccount.com). Replace \<project-number\> with your Google Cloud Platform (GCP) project number: 

gcloud kms keys add-iam-policy-binding cc-project5-kms-key
	--keyring=cc-project5-key-ring
	--location=us-central1
	--member="serviceAccount:service-123456789012@gcp-sa-cloudtasks.iam.gserviceaccount.com"
	--role=roles/cloudkms.cryptoKeyEncrypterDecrypter

06 The command output should return the updated IAM policy (YAML format): 

Updated IAM policy for key [cc-project5-kms-key].
bindings:
- members:
	- serviceAccount:service-123456789012@gcp-sa-cloudtasks.iam.gserviceaccount.com
	role: roles/cloudkms.cryptoKeyEncrypterDecrypter
etag: ABCD1234ABCD
version: 1

07 Run the tasks cmek-config update command (OSX/Linux/UNIX) to enable encryption at rest for all Google Cloud tasks in the specified region, using your own Cloud KMS Customer-Managed Encryption Key (CMEK). For --kms-key command parameter, specify the fully qualified identifier of the CMEK returned in step no 4: 

gcloud tasks cmek-config update
	--project=cc-web-project-123123
	--location=us-central1
	--kms-key-name="projects/cc-web-project-123123/locations/us-central1/keyRings/cc-project5-key-ring/cryptoKeys/cc-project5-kms-key"

08 The command output should return the operation status and the ID of the implemented CMEK: 

Updated Cmek config for KMS key: [projects/cc-web-project-123123/locations/us-central1/keyRings/cc-project5-key-ring/cryptoKeys/cc-project5-kms-key].
kmsKey: projects/cc-web-project-123123/locations/us-central1/keyRings/cc-project5-key-ring/cryptoKeys/cc-project5-kms-key
name: projects/cc-web-project-123123/locations/us-central1/cmekConfig

09 Repeat steps no. 1 - 8 for each Google Cloud region with Cloud Tasks resources.

10 Repeat steps no. 1 – 9 for each GCP project deployed in your Google Cloud account.

References

Publication date Mar 27, 2025

Related CloudTasks rules