Disk Encryption Disabled
- Query id: fc040fb6-4c23-4c0d-b12a-39edac35debb
- Query name: Disk Encryption Disabled
- Platform: GoogleDeploymentManager
- Severity: Medium
- Category: Encryption
- URL: Github
Description¶
VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
resources:
- name: vm-template
type: compute.v1.instance
properties:
zone: us-central1-a
machineType: zones/us-central1-a/machineTypes/n1-standard-1
disks:
- deviceName: boot
type: PERSISTENT
boot: true
autoDelete: true
initializeParams:
sourceImage: projects/debian-cloud/global/images/family/debian-9
networkInterfaces:
- network: global/networks/default
- type: compute.v1.disk
name: disk-3-data
properties:
sizeGb: 10
zone: us-east1-c
Positive test num. 2 - yaml file
resources:
- name: vm-template2
type: compute.v1.instance
properties:
zone: us-central1-a
machineType: zones/us-central1-a/machineTypes/n1-standard-1
disks:
- deviceName: boot
type: PERSISTENT
boot: true
autoDelete: true
initializeParams:
sourceImage: projects/debian-cloud/global/images/family/debian-9
diskEncryptionKey:
sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29
networkInterfaces:
- network: global/networks/default
- type: compute.v1.disk
name: disk-4-data
properties:
sizeGb: 10
zone: us-east1-c
diskEncryptionKey:
sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29
Positive test num. 3 - yaml file
resources:
- name: vm-template3
type: compute.v1.instance
properties:
zone: us-central1-a
machineType: zones/us-central1-a/machineTypes/n1-standard-1
disks:
- deviceName: boot
type: PERSISTENT
boot: true
autoDelete: true
initializeParams:
sourceImage: projects/debian-cloud/global/images/family/debian-9
diskEncryptionKey:
sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29
rawKey: ""
networkInterfaces:
- network: global/networks/default
- type: compute.v1.disk
name: disk-5-data
properties:
sizeGb: 10
zone: us-east1-c
diskEncryptionKey:
sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29
rawKey: ""
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
resources:
- name: vm-template4
type: compute.v1.instance
properties:
zone: us-central1-a
machineType: zones/us-central1-a/machineTypes/n1-standard-1
disks:
- deviceName: boot
type: PERSISTENT
boot: true
autoDelete: true
initializeParams:
sourceImage: projects/debian-cloud/global/images/family/debian-9
diskEncryptionKey:
sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29
rawKey: SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=
networkInterfaces:
- network: global/networks/default
- type: compute.v1.disk
name: disk-1-data
properties:
sizeGb: 10
zone: us-east1-c
diskEncryptionKey:
sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29
rawKey: SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=
Negative test num. 2 - yaml file
resources:
- name: vm-template5
type: compute.v1.instance
properties:
zone: us-central1-a
machineType: zones/us-central1-a/machineTypes/n1-standard-1
disks:
- deviceName: boot
type: PERSISTENT
boot: true
autoDelete: true
initializeParams:
sourceImage: projects/debian-cloud/global/images/family/debian-9
diskEncryptionKey:
sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29
kmsKeyName: disk-crypto-key
networkInterfaces:
- network: global/networks/default
- type: compute.v1.disk
name: disk-2-data
properties:
sizeGb: 10
zone: us-east1-c
diskEncryptionKey:
sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29
kmsKeyName: disk-crypto-key