Disk Encryption Disabled
- Query id: b1d51728-7270-4991-ac2f-fc26e2695b38
- Query name: Disk Encryption Disabled
- Platform: Terraform
- Severity: Medium
- Category: Encryption
- CWE: 311
- URL: Github
Description¶
VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "google_compute_disk" "positive1" {
name = "test-disk"
type = "pd-ssd"
zone = "us-central1-a"
image = "debian-9-stretch-v20200805"
labels = {
environment = "dev"
}
physical_block_size_bytes = 4096
}
resource "google_compute_disk" "positive2" {
name = "test-disk"
type = "pd-ssd"
zone = "us-central1-a"
image = "debian-9-stretch-v20200805"
labels = {
environment = "dev"
}
physical_block_size_bytes = 4096
disk_encryption_key {
sha256 = "A"
}
}
Positive test num. 2 - tf file
resource "google_compute_disk" "positive3" {
name = "test-disk"
type = "pd-ssd"
zone = "us-central1-a"
image = "debian-9-stretch-v20200805"
labels = {
environment = "dev"
}
physical_block_size_bytes = 4096
disk_encryption_key {
raw_key = ""
sha256 = "A"
}
}
Positive test num. 3 - tf file
resource "google_compute_disk" "positive4" {
name = "test-disk"
type = "pd-ssd"
zone = "us-central1-a"
image = "debian-9-stretch-v20200805"
labels = {
environment = "dev"
}
physical_block_size_bytes = 4096
disk_encryption_key {
kms_key_self_link = ""
sha256 = "A"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "google_compute_disk" "negative1" {
name = "test-disk"
type = "pd-ssd"
zone = "us-central1-a"
image = "debian-9-stretch-v20200805"
labels = {
environment = "dev"
}
physical_block_size_bytes = 4096
disk_encryption_key {
raw_key = "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0="
sha256 = "A"
}
}
Negative test num. 2 - tf file
resource "google_compute_disk" "negative1" {
name = "test-disk"
type = "pd-ssd"
zone = "us-central1-a"
image = "debian-9-stretch-v20200805"
labels = {
environment = "dev"
}
physical_block_size_bytes = 4096
disk_encryption_key {
kms_key_self_link = "disk-crypto-key"
sha256 = "A"
}
}