gcloud-object-encryption-cmk-not-enabled: Enable Object Encryption with Customer-Managed Keys for Cloud Storage Buckets

日期: 2025-08-01 | 影响软件: gcloud object encryption cmk | POC: 已公开

漏洞描述

Ensure that your Google Cloud Storage data is encrypted at rest using Customer-Managed Keys (CMKs) to maintain full control over your data encryption and decryption processes. CMKs can be managed with the Cloud Key Management Service (Cloud KMS).

PoC代码[已公开]

id: gcloud-object-encryption-cmk-not-enabled

info:
  name: Enable Object Encryption with Customer-Managed Keys for Cloud Storage Buckets
  author: princechaddha
  severity: high
  description: |
    Ensure that your Google Cloud Storage data is encrypted at rest using Customer-Managed Keys (CMKs) to maintain full control over your data encryption and decryption processes. CMKs can be managed with the Cloud Key Management Service (Cloud KMS).
  impact: |
    Without CMK encryption, you lose the ability to manage key rotation, encryption policies, and data access, potentially exposing sensitive data to unauthorized access.
  remediation: |
    Configure your Cloud Storage buckets to use Customer-Managed Keys (CMKs) for encryption to enhance data security and comply with organizational policies.
  reference:
    - https://cloud.google.com/storage/docs/encryption/customer-managed-keys
  tags: cloud,devops,gcp,gcloud,google-cloud-storage,encryption,cmk,security,gcp-cloud-config

flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
    for(let bucketName of iterate(template.buckets)){
      set("bucketName", bucketName)
      code(3)
    }
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"

    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'

  - engine:
      - sh
      - bash
    source: |
      gsutil ls -p $projectId | jq -R . | jq -s .

    extractors:
      - type: json
        name: buckets
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      gsutil kms encryption $bucketName

    matchers:
      - type: word
        part: body
        words:
          - "no default encryption key"

    extractors:
      - type: dsl
        dsl:
          - '"The bucket " + bucketName + " in project " + projectId + " is not encrypted using a Customer-Managed Key (CMK)."'
# digest: 4b0a00483046022100f2b251272464706d2ebe21caf15af113e930e0aeb02848e4f5d025750611883a022100d083dc3e0b9fb9b18964130a1468af82e0d35a8bc873e7ee13fa3dc8f5025569:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/gcp/storage/gcloud-object-encryption-cmk-not-enabled.yaml