GKE data encryption-at-rest is not enabled Affecting Kubernetes (Container) Engine service in Google
Severity Framework
Snyk CCSS
Rule category
Data / Encryption at Rest
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
- Snyk ID SNYK-CC-00714
- credit Snyk Research Team
Description
Data encryption-at-rest is not enabled for GKE, which increases the risk of unauthorized access to sensitive data stored in persistent disks. Enabling encryption-at-rest ensures that data is protected even if the underlying storage media is compromised.
How to fix?
Set the node_config.boot_disk_kms_key attribute to valid encrypted CMEK.
Example Configuration
data "google_project" "project" {}
data "google_kms_key_ring" "my_key_ring" {
name = "keyring-example-714"
location = "us-central1"
}
resource "google_kms_crypto_key" "example-key" {
name = "crypto-key-example-714"
key_ring = data.google_kms_key_ring.my_key_ring.id
purpose = "ENCRYPT_DECRYPT"
}
resource "google_kms_crypto_key_iam_binding" "crypto_key-role-1" {
crypto_key_id = google_kms_crypto_key.example-key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com",
"serviceAccount:service-${data.google_project.project.number}@container-engine-robot.iam.gserviceaccount.com",
]
}
resource "google_container_cluster" "valid-cluster-714" {
name = "valid-example-714"
location = "us-central1-a"
initial_node_count = 3
deletion_protection = false
node_config {
boot_disk_kms_key = google_kms_crypto_key.example-key.id
disk_size_gb = 10
}
}