Disk Encryption Disabled

  • Query id: b1d51728-7270-4991-ac2f-fc26e2695b38
  • Query name: Disk Encryption Disabled
  • Platform: Terraform
  • Severity: Medium
  • Category: Encryption
  • CWE: 311
  • URL: Github

Description

VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "google_compute_disk" "positive1" {
  name  = "test-disk"
  type  = "pd-ssd"
  zone  = "us-central1-a"
  image = "debian-9-stretch-v20200805"
  labels = {
    environment = "dev"
  }
  physical_block_size_bytes = 4096
}

resource "google_compute_disk" "positive2" {
  name  = "test-disk"
  type  = "pd-ssd"
  zone  = "us-central1-a"
  image = "debian-9-stretch-v20200805"
  labels = {
    environment = "dev"
  }
  physical_block_size_bytes = 4096

  disk_encryption_key {
    sha256 = "A"
  }
}
Positive test num. 2 - tf file
resource "google_compute_disk" "positive3" {
  name  = "test-disk"
  type  = "pd-ssd"
  zone  = "us-central1-a"
  image = "debian-9-stretch-v20200805"
  labels = {
    environment = "dev"
  }
  physical_block_size_bytes = 4096

  disk_encryption_key {
      raw_key = ""
      sha256 = "A"
  }
}
Positive test num. 3 - tf file
resource "google_compute_disk" "positive4" {
  name  = "test-disk"
  type  = "pd-ssd"
  zone  = "us-central1-a"
  image = "debian-9-stretch-v20200805"
  labels = {
    environment = "dev"
  }
  physical_block_size_bytes = 4096

  disk_encryption_key {
    kms_key_self_link = ""
    sha256 = "A"
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "google_compute_disk" "negative1" {
  name  = "test-disk"
  type  = "pd-ssd"
  zone  = "us-central1-a"
  image = "debian-9-stretch-v20200805"
  labels = {
    environment = "dev"
  }
  physical_block_size_bytes = 4096

  disk_encryption_key {
      raw_key = "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0="
      sha256 = "A"
  }
}
Negative test num. 2 - tf file
resource "google_compute_disk" "negative1" {
  name  = "test-disk"
  type  = "pd-ssd"
  zone  = "us-central1-a"
  image = "debian-9-stretch-v20200805"
  labels = {
    environment = "dev"
  }
  physical_block_size_bytes = 4096

  disk_encryption_key {
      kms_key_self_link = "disk-crypto-key"
      sha256 = "A"
  }
}