Encryption key is exposed in instance template configuration Affecting Compute Engine service in Google

Severity Framework Snyk CCSS

Rule category Data / Encryption at Rest

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CSA-CCM

Snyk ID SNYK-CC-00392
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

The key material will be readable to everyone with access to the configuration source code.

How to fix?

Remove boot_disk.disk_encryption_key_raw from resource, and instead use boot_disk.kms_key_self_link.

Example Configuration

resource "google_compute_instance" "allow_2" {
  name         = "allow2"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  network_interface {
    network = "default"
  }

  boot_disk {
    kms_key_self_link = google_kms_crypto_key.crypto-key.id

    initialize_params {
      image = "debian-cloud/debian-11"
    }
  }
}


resource "google_kms_key_ring" "keyring" {
  name     = "dumy-keyring-1"
  location = "global"
}

resource "google_kms_crypto_key" "crypto-key" {
  name            = "dumy-key-1"
  key_ring        = google_kms_key_ring.keyring.id
  rotation_period = "100000s"
}

Terraform

Resource: google_compute_instance

References

Customer-Supplied Encryption Keys