Dataproc Clusters are not encrypted with Customer-Managed Encryption Keys Affecting Dataproc service in Google

Snyk CCSS

Data / Encryption at Rest

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

Snyk ID SNYK-CC-00742
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Clusters without customer-managed encryption keys (CMEK) risk exposure of sensitive data due to default encryption management. Enforcing CMEK enhances data security by giving users control over the encryption keys and the underlying hardware security modules that protect the keys.

How to fix?

Set the kms_key_name attribute in google_dataproc_cluster resource to valid CMEK.

Example Configuration


resource "google_dataproc_cluster" "allow" {
  name     = "clustera1"
  region   = "us-central1"

  cluster_config {
    encryption_config {
        kms_key_name = "projects/zelarsoft-snyk/locations/global/keyRings/kerberos-key-ring/cryptoKeys/kerberos-crypto-key"
  }
}
}

Terraform

google_dataproc_cluster

Dataproc Clusters are not encrypted with Customer-Managed Encryption Keys Affecting Dataproc service in Google

Severity

Description

How to fix?

Example Configuration

Terraform