diff --git a/jupiterone/questions/questions.yaml b/jupiterone/questions/questions.yaml
index efa2527f..26ecbc65 100644
--- a/jupiterone/questions/questions.yaml
+++ b/jupiterone/questions/questions.yaml
@@ -589,6 +589,32 @@ questions:
     requirements:
       - '1.18'
 
+- id: integration-question-google-dataproc-cmek
+  title: Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key
+  description: >
+    When you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated with the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK).
+  queries:
+  - name: good
+    query: |
+      FIND google_dataproc_cluster WITH encrypted = true AND kmsKeyName ~= "cmek"
+  - name: bad
+    query: |
+      FIND google_dataproc_cluster WITH encrypted != true OR kmsKeyName !~= "cmek"
+  tags:
+  - google-cloud
+  - customer-managed-encryption-key
+  - encryption
+  compliance:
+  - standard: CIS Google Cloud Foundations 1.1
+    requirements:
+      - '1.17'
+  - standard: CIS Google Cloud Platform Foundation Benchmark 1.3
+    requirements:
+      - '1.17'
+  - standard: CIS Google Cloud Platform Foundation Benchmark 2.0.0
+    requirements:
+      - '1.17'
+
 - id: integration-question-google-cloud-iam-all-user-policies
   title: Which policies are bound to “allUsers” or “allAuthenticatedUsers”?
   description: >
@@ -1171,7 +1197,7 @@ questions:
       find google_compute_subnetwork WITH flowLogsEnabled != true
   tags:
   - google-cloud
-  - VPC-flowlogs
+  - VPC-flow-logs
   - logging
   compliance:
   - standard: CIS Google Cloud Foundations 1.1