Customer-supplied encryption keys are not used to encrypt VM compute instance Affecting Compute Engine service in Google


Severity

0.0
medium
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    Data / Encryption at Rest

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    CSA-CCM GDPR NIST-800-53 SOC-2
  • Snyk ID SNYK-CC-00391
  • credit Snyk Research Team

Description

Google will store your keys on its servers and could access the data without your authorization.

How to fix?

Set the disk_encryption_key_raw or kms_key_self_link attribute on boot_disk and attached_disk to a customer-supplied encryption key.

Example Configuration

# Example with disk_encryption_key_raw
resource "google_compute_instance" "boot_disk_allow_1" {
  name         = "test"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  network_interface {
    network = "default"
  }

  boot_disk {
    disk_encryption_key_raw = "test_dummy_key"
  }
}

resource "google_compute_instance" "boot_disk_with_attached_disk_allow_1" {
  name         = "test"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  network_interface {
    network = "default"
  }

  boot_disk {
    disk_encryption_key_raw = "test_dummy_key"
  }
  attached_disk {
    disk_encryption_key_raw = "test_dummy_key"
  }
}

# Example with kms_key_self_link
resource "google_compute_instance" "boot_disk_allow_2" {
  name         = "test"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  network_interface {
    network = "default"
  }

  boot_disk {
    kms_key_self_link = "test_dummy_key"
  }
}

resource "google_compute_instance" "boot_disk_with_attached_disk_allow_2" {
  name         = "test"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  network_interface {
    network = "default"
  }

  boot_disk {
    kms_key_self_link = "test_dummy_key"
  }
  
  attached_disk {
    kms_key_self_link = "test_dummy_key"
  }
}