Google Cloud Storage bucket is encrypted at rest Affecting Cloud Storage service in Google
Severity Framework
Snyk CCSS
Rule category
Data / Encryption at Rest
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
- Snyk ID SNYK-CC-00722
- credit Snyk Research Team
Description
Google Cloud Storage (GCS) provides automatic encryption at rest, ensuring the security of your data. By default GCS encrypts your stored information using robust encryption mechanisms without any extra configuration. Additionally, you have the option to enhance security further by implementing Customer-Managed Encryption Keys with GCS.
How to fix?
Set the encryption.default_kms_key_name option in the storage bucket configuration.
Example Configuration
data "google_project" "project"{}
resource "google_kms_crypto_key" "my-key" {
name = "crypto-key-example-11"
key_ring = "projects/test-project/locations/us-central1/keyRings/keyring-example-714"
purpose = "ENCRYPT_DECRYPT"
}
data "google_storage_project_service_account" "gcs_account" {
}
resource "google_kms_crypto_key_iam_binding" "binding" {
crypto_key_id = google_kms_crypto_key.my-key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}",
]
}
resource "google_storage_bucket" "allowed" {
name = "storage-buck-rule-722"
location = "us-central1"
force_destroy = true
encryption {
default_kms_key_name = google_kms_crypto_key.my-key.id
}
depends_on = [google_kms_crypto_key_iam_binding.binding]
}