gcloud-func-cmek-not-used: No Customer-Managed Encryption Keys in Google Cloud Functions

日期: 2025-08-01 | 影响软件: Google Cloud Functions | POC: 已公开

漏洞描述

Ensure that your Google Cloud functions use Customer-Managed Encryption Keys (CMEK) instead of Google-managed encryption keys to encrypt data at rest. CMEKs provide greater control over the encryption and decryption process, enabling you to meet stringent compliance requirements.

PoC代码[已公开]

id: gcloud-func-cmek-not-used

info:
  name: No Customer-Managed Encryption Keys in Google Cloud Functions
  author: princechaddha
  severity: high
  description: |
    Ensure that your Google Cloud functions use Customer-Managed Encryption Keys (CMEK) instead of Google-managed encryption keys to encrypt data at rest. CMEKs provide greater control over the encryption and decryption process, enabling you to meet stringent compliance requirements.
  impact: |
    Using Google-managed encryption keys instead of CMEKs reduces your ability to control the encryption process and comply with certain regulatory standards.
  remediation: |
    Configure your Google Cloud functions to use Customer-Managed Encryption Keys (CMEK) to ensure data encryption at rest is managed according to your compliance and security requirements.
  reference:
    - https://cloud.google.com/functions/docs/securing/managing-encryption-keys
  tags: cloud,devops,gcp,gcloud,google-cloud-functions,gcp-cloud-config

flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
    for(let functionName of iterate(template.functions)){
      set("functionName", functionName)
      code(3)
    }
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"

    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'

  - engine:
      - sh
      - bash
    source: |
      gcloud functions list --project $projectId --format="json(name)"

    extractors:
      - type: json
        name: functions
        internal: true
        json:
          - '.[].name'

  - engine:
      - sh
      - bash
    source: |
      gcloud functions describe $functionName --format="json(kmsKeyName)"

    matchers:
      - type: word
        words:
          - 'null'

    extractors:
      - type: dsl
        dsl:
          - '"Function not using CMEK: " + functionName + " in " + projectId + " project"'
# digest: 4a0a00473045022036beb2fd770344d590d37a8790e66f07d95b0f780fcca88dd87eb122dc5113f5022100ad2e88670bf9c93de176a2c68bc25d3c01a749aa3236f6736614fbf6b46de3a9:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/gcp/function/gcloud-func-cmek-not-used.yaml

相关漏洞推荐