Disk Encryption Disabled

  • Query id: fc040fb6-4c23-4c0d-b12a-39edac35debb
  • Query name: Disk Encryption Disabled
  • Platform: GoogleDeploymentManager
  • Severity: Medium
  • Category: Encryption
  • URL: Github

Description

VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
resources:
- name: vm-template
  type: compute.v1.instance
  properties:
    zone: us-central1-a
    machineType: zones/us-central1-a/machineTypes/n1-standard-1
    disks:
    - deviceName: boot
      type: PERSISTENT
      boot: true
      autoDelete: true
      initializeParams:
        sourceImage: projects/debian-cloud/global/images/family/debian-9
    networkInterfaces:
    - network: global/networks/default
- type: compute.v1.disk
  name: disk-3-data
  properties:
    sizeGb: 10
    zone: us-east1-c
Postitive test num. 2 - yaml file
resources:
- name: vm-template2
  type: compute.v1.instance
  properties:
    zone: us-central1-a
    machineType: zones/us-central1-a/machineTypes/n1-standard-1
    disks:
    - deviceName: boot
      type: PERSISTENT
      boot: true
      autoDelete: true
      initializeParams:
        sourceImage: projects/debian-cloud/global/images/family/debian-9
      diskEncryptionKey:
        sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29
    networkInterfaces:
    - network: global/networks/default
- type: compute.v1.disk
  name: disk-4-data
  properties:
    sizeGb: 10
    zone: us-east1-c
    diskEncryptionKey:
      sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29
Postitive test num. 3 - yaml file
resources:
- name: vm-template3
  type: compute.v1.instance
  properties:
    zone: us-central1-a
    machineType: zones/us-central1-a/machineTypes/n1-standard-1
    disks:
    - deviceName: boot
      type: PERSISTENT
      boot: true
      autoDelete: true
      initializeParams:
        sourceImage: projects/debian-cloud/global/images/family/debian-9
      diskEncryptionKey:
        sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29
        rawKey: ""
    networkInterfaces:
    - network: global/networks/default
- type: compute.v1.disk
  name: disk-5-data
  properties:
    sizeGb: 10
    zone: us-east1-c
    diskEncryptionKey:
      sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29
      rawKey: ""

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
resources:
- name: vm-template4
  type: compute.v1.instance
  properties:
    zone: us-central1-a
    machineType: zones/us-central1-a/machineTypes/n1-standard-1
    disks:
    - deviceName: boot
      type: PERSISTENT
      boot: true
      autoDelete: true
      initializeParams:
        sourceImage: projects/debian-cloud/global/images/family/debian-9
      diskEncryptionKey:
        sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29
        rawKey: SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=
    networkInterfaces:
    - network: global/networks/default
- type: compute.v1.disk
  name: disk-1-data
  properties:
    sizeGb: 10
    zone: us-east1-c
    diskEncryptionKey:
      sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29
      rawKey: SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=
Negative test num. 2 - yaml file
resources:
- name: vm-template5
  type: compute.v1.instance
  properties:
    zone: us-central1-a
    machineType: zones/us-central1-a/machineTypes/n1-standard-1
    disks:
    - deviceName: boot
      type: PERSISTENT
      boot: true
      autoDelete: true
      initializeParams:
        sourceImage: projects/debian-cloud/global/images/family/debian-9
      diskEncryptionKey:
        sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29
        kmsKeyName: disk-crypto-key
    networkInterfaces:
    - network: global/networks/default
- type: compute.v1.disk
  name: disk-2-data
  properties:
    sizeGb: 10
    zone: us-east1-c
    diskEncryptionKey:
      sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29
      kmsKeyName: disk-crypto-key