Disk Encryption Disabled

  • Query id: 092bae86-6105-4802-99d2-99cd7e7431f3
  • Query name: Disk Encryption Disabled
  • Platform: Ansible
  • Severity: Medium
  • Category: Encryption
  • URL: Github

Description

VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
- name: create a disk1
  google.cloud.gcp_compute_disk:
    name: test_object1
    size_gb: 50
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
- name: create a disk3
  google.cloud.gcp_compute_disk:
    name: test_object3
    size_gb: 50
    disk_encryption_key:
      raw_key:
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
- name: create a disk4
  google.cloud.gcp_compute_disk:
    name: test_object4
    size_gb: 50
    disk_encryption_key:
      raw_key: ""
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
Positive test num. 2 - yaml file
- name: create a disk3
  google.cloud.gcp_compute_disk:
    name: test_object3
    size_gb: 50
    disk_encryption_key:
      kms_key_name:
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
- name: create a disk4
  google.cloud.gcp_compute_disk:
    name: test_object4
    size_gb: 50
    disk_encryption_key:
      kms_key_name: ""
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
- name: create a disk
  google.cloud.gcp_compute_disk:
    name: test_object
    size_gb: 50
    disk_encryption_key:
      raw_key: SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
Negative test num. 2 - yaml file
#this code is a correct code for which the query should not find any result
- name: create a disk
  google.cloud.gcp_compute_disk:
    name: test_object
    size_gb: 50
    disk_encryption_key:
      kms_key_name: disk-crypto-key
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present