Google Cloud Storage bucket is encrypted at rest Affecting Cloud Storage service in Google


Severity

0.0
medium
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    Data / Encryption at Rest

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
  • Snyk ID SNYK-CC-00722
  • credit Snyk Research Team

Description

Google Cloud Storage (GCS) provides automatic encryption at rest, ensuring the security of your data. By default GCS encrypts your stored information using robust encryption mechanisms without any extra configuration. Additionally, you have the option to enhance security further by implementing Customer-Managed Encryption Keys with GCS.

How to fix?

Set the encryption.default_kms_key_name option in the storage bucket configuration.

Example Configuration

data "google_project" "project"{}

resource "google_kms_crypto_key" "my-key" {
  name     = "crypto-key-example-11"
  key_ring = "projects/test-project/locations/us-central1/keyRings/keyring-example-714"
  purpose  = "ENCRYPT_DECRYPT"
}

data "google_storage_project_service_account" "gcs_account" {
}

resource "google_kms_crypto_key_iam_binding" "binding" {
  crypto_key_id = google_kms_crypto_key.my-key.id
  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"

  members = [
    "serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}",
    ]
}

resource "google_storage_bucket" "allowed" {
  name          = "storage-buck-rule-722"
  location      = "us-central1"
  force_destroy = true
  encryption {
    default_kms_key_name = google_kms_crypto_key.my-key.id
  }
  depends_on = [google_kms_crypto_key_iam_binding.binding]
}