VM disks for critical VMs must be encrypted with Customer-Supplied Encryption Keys (CSEK) or Customer-Managed Encryption Keys (CMEK)

ID

gcp_disk_encryption_disabled

Severity

low

Vendor

GCP

Resource

Encryption

Tags

reachable

Description

Using an empty string as raw_key parameter or kms_key_name is essentially no encryption key at all, which means disk data not protected by CSEK or CMEK can be accessed by anyone who has access to the disk. This is a security risk because it exposes sensitive data to unauthorized parties.

To fix it, you must configure the disk_encryption_key.raw_key or disk_encryption_key.kms_key_name property with a valid and secure encryption key when using Customer-Supplied Encryption Keys (CSEK) or Customer-Managed Encryption Keys (CMEK).

Learn more about this topic at Encrypt disks with customer-supplied encryption keys.

Examples

---
- name: create disk
  google.cloud.gcp_compute_disk:
    name: object
    size_gb: 8
    disk_encryption_key:
      raw_key: ""
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present

Mitigation / Fix

---
- name: create disk
  google.cloud.gcp_compute_disk:
    name: test_object
    size_gb: 8
    disk_encryption_key:
      raw_key: REYgbF8gZnHreSBDb27nbWQgEtxdsWFgASxbvGdCcfd=
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present