Artifact Registry not using Customer-Managed Encryption Keys (CMEK) Affecting Artifact Registry service in Google
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00803
- creditSnyk Research Team
Description
Failure to use Customer-Managed Encryption Keys (CMEK) for Artifact Registry can result in non-compliance with data protection regulations and increased risk of data exposure. CMEK provides users with control over the encryption keys, including the ability to manage key rotation and disable keys, enhancing the security posture by ensuring that only authorized users can access the encryption keys and, by extension, the data.
How to fix?
Set the kms_key_name attribute in google_artifact_registry_repository resource to a valid CMEK.
Example configuration:
resource "google_artifact_registry_repository" "allowed-snyk-803" {
location = "us-central1"
repository_id = "snyk-803-repository"
description = "example docker repository with cmek"
format = "DOCKER"
kms_key_name = google_kms_crypto_key.snyk_803_key.id
depends_on = [
google_kms_crypto_key_iam_member.crypto_key
]
}
resource "google_kms_crypto_key_iam_member" "crypto_key" {
crypto_key_id = google_kms_crypto_key.snyk_803_key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-artifactregistry.iam.gserviceaccount.com"
}