Google Cloud Storage bucket is encrypted at rest Affecting Cloud Storage service in Google


Severity

0.0
medium
0
10
Severity Framework
Snyk CCSS
Rule category
Data/ Encryption at Rest

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
  • Snyk IDSNYK-CC-00722
  • creditSnyk Research Team

Description

Google Cloud Storage (GCS) provides automatic encryption at rest, ensuring the security of your data. By default GCS encrypts your stored information using robust encryption mechanisms without any extra configuration. Additionally, you have the option to enhance security further by implementing Customer-Managed Encryption Keys with GCS.

How to fix?

Set the encryption.default_kms_key_name option in the storage bucket configuration.

Example Configuration

data "google_project" "project"{}

resource "google_kms_crypto_key" "my-key" {
  name     = "crypto-key-example-11"
  key_ring = "projects/test-project/locations/us-central1/keyRings/keyring-example-714"
  purpose  = "ENCRYPT_DECRYPT"
}

data "google_storage_project_service_account" "gcs_account" {
}

resource "google_kms_crypto_key_iam_binding" "binding" {
  crypto_key_id = google_kms_crypto_key.my-key.id
  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"

  members = [
    "serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}",
    ]
}

resource "google_storage_bucket" "allowed" {
  name          = "storage-buck-rule-722"
  location      = "us-central1"
  force_destroy = true
  encryption {
    default_kms_key_name = google_kms_crypto_key.my-key.id
  }
  depends_on = [google_kms_crypto_key_iam_binding.binding]
}