Google storage bucket does not use customer-managed keys to encrypt data Affecting Cloud Storage service in Google

Severity Framework Snyk CCSS

Rule category Data / Encryption at Rest

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CSA-CCM GDPR NIST-800-53 SOC-2

Snyk ID SNYK-CC-00371
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Google will manage the encryption keys on its servers and could access the data without authorization.

How to fix?

Use encryption keys from self-managed key management service and configure the encryption block accordingly.

Example Configuration

resource "google_storage_bucket" "allow" {
  name          = "image-store.com"
  location      = "EU"
  force_destroy = true
  encryption {
    default_kms_key_name = "dummy_key"
  }

  uniform_bucket_level_access = true
}

Terraform

Resource: google_storage_bucket

Google storage bucket does not use customer-managed keys to encrypt data Affecting Cloud Storage service in Google

Description

How to fix?

Example Configuration

Terraform

References