gcloud-logs-router-cmek-not-enabled: Logs Router Encryption with Customer-Managed Keys Not Enabled

id: gcloud-logs-router-cmek-not-enabled

info:
  name: Logs Router Encryption with Customer-Managed Keys Not Enabled
  author: princechaddha
  severity: high
  description: |
    Ensure that Google Cloud Logs Router data is encrypted with Customer-Managed Keys (CMKs) to provide full control over your data encryption and decryption process and to help meet compliance requirements. Using Cloud Key Management Service (Cloud KMS), you can create and manage your CMKs, ensuring secure and efficient encryption key management, controlled key rotation, and revocation mechanisms.
  impact: |
    Without Customer-Managed Keys (CMKs) encryption, your Logs Router data may not meet organizational compliance requirements and is not protected by keys you control, potentially exposing sensitive information to unauthorized access.
  remediation: |
    Enable Customer-Managed Keys (CMKs) for Logs Router encryption within your GCP organization by configuring Cloud KMS keys and associating them with the Logs Router service. Ensure the CMKs are properly managed and rotated per compliance requirements.
  reference:
    - https://cloud.google.com/logging/docs/routing/managed-encryption
  tags: cloud,devops,gcp,gcloud,google-cloud-logging,gcp-cloud-config

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud alpha logging cmek-settings describe --organization=$organization --format="json(kmsKeyName)"

    matchers:
      - type: word
        words:
          - 'null'

    extractors:
      - type: dsl
        dsl:
          - '"Logs Router Encryption with CMK not enabled for your organization"'
# digest: 4b0a00483046022100a94c7e2231181d06405b8fb53b9603a32c3d7db83381ad64935458a6c6e6d92a022100f787d993f5a41dc335e362a5b2b88fec08577e5bb41b6b83b64e5c91ba323972:922c64590222798bb761d5b6d8e72950