Artifact Registry not using Customer-Managed Encryption Keys (CMEK) Affecting Artifact Registry service in Google
Severity Framework
Snyk CCSS
Rule category
Data / Encryption at Rest
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
- Snyk ID SNYK-CC-00803
- credit Snyk Research Team
Description
Failure to use Customer-Managed Encryption Keys (CMEK) for Artifact Registry can result in non-compliance with data protection regulations and increased risk of data exposure. CMEK provides users with control over the encryption keys, including the ability to manage key rotation and disable keys, enhancing the security posture by ensuring that only authorized users can access the encryption keys and, by extension, the data.
How to fix?
Set the kms_key_name attribute in google_artifact_registry_repository resource to a valid CMEK.
Example Configuration
resource "google_artifact_registry_repository" "allowed-snyk-803" {
location = "us-central1"
repository_id = "snyk-803-repository"
description = "example docker repository with cmek"
format = "DOCKER"
kms_key_name = google_kms_crypto_key.snyk_803_key.id
depends_on = [
google_kms_crypto_key_iam_member.crypto_key
]
}
resource "google_kms_crypto_key_iam_member" "crypto_key" {
crypto_key_id = google_kms_crypto_key.snyk_803_key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-artifactregistry.iam.gserviceaccount.com"
}