Ensure that the persistent disks attached to your Google Compute Engine instances are encrypted with Customer-Managed Keys (CMKs) in order to have a fine control over your sensitive data encryption and decryption process. You can create and manage your own Customer-Managed Keys (CMKs) with Cloud Key Management Service (Cloud KMS). Cloud KMS provides secure and efficient encryption key management, controlled key rotation, and revocation mechanisms.
PoC代码[已公开]
id: gcloud-vm-disk-cmk-not-enabled
info:
name: Virtual Machine Disk Encryption with Customer-Managed Keys Not Enabled
author: princechaddha
severity: high
description: |
Ensure that the persistent disks attached to your Google Compute Engine instances are encrypted with Customer-Managed Keys (CMKs) in order to have a fine control over your sensitive data encryption and decryption process. You can create and manage your own Customer-Managed Keys (CMKs) with Cloud Key Management Service (Cloud KMS). Cloud KMS provides secure and efficient encryption key management, controlled key rotation, and revocation mechanisms.
impact: |
Without CMK encryption, you have limited control over the encryption keys used to protect your VM disk data, potentially exposing sensitive information to unauthorized access.
remediation: |
Configure your Compute Engine persistent disks to use Customer-Managed Keys (CMKs) for encryption by specifying a Cloud KMS key during disk creation or by updating existing disks.
reference:
- https://cloud.google.com/compute/docs/disks/customer-managed-encryption
tags: cloud,devops,gcp,gcloud,compute,encryption,cmk,security,gcp-cloud-config
flow: |
code(1)
for(let projectId of iterate(template.projectIds)){
set("projectId", projectId)
code(2)
for(let instance of iterate(template.instances)){
instance = JSON.parse(instance)
set("instanceName", instance.name)
set("zone", instance.zone)
code(3)
for(let disk of iterate(template.disks)){
set("diskName", disk)
code(4)
}
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
gcloud projects list --format="json(projectId)"
extractors:
- type: json
name: projectIds
internal: true
json:
- '.[].projectId'
- engine:
- sh
- bash
source: |
gcloud compute instances list --project $projectId --format="json(name,zone.basename())"
extractors:
- type: json
name: instances
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
gcloud compute instances describe $instanceName --zone $zone --project $projectId --format="json(disks[].deviceName)"
extractors:
- type: json
name: disks
internal: true
json:
- '.disks[].deviceName'
- engine:
- sh
- bash
source: |
gcloud compute disks describe $diskName --zone $zone --project $projectId --format="json(diskEncryptionKey.kmsKeyName)" | jq '. // "null"'
matchers:
- type: word
words:
- "null"
extractors:
- type: dsl
dsl:
- '"Disk " + diskName + " attached to instance " + instanceName + " in zone " + zone + " of project " + projectId + " is not encrypted with a Customer-Managed Key (CMK)"'
# digest: 4a0a00473045022100d7cb21540269edd4582afb6f1dcf363463e4568e14154ec5c1fcb0877cd58a2a022005ee32cf0459ad463e162bcc6293991b6bb9dc9d1177233733f6d6f4c41b64cd:922c64590222798bb761d5b6d8e72950