GCP VM Disks Not Encrypted With Customer-Supplied Encryption Keys (CSEK)

This policy identifies VM disks which are not encrypted with Customer-Supplied Encryption Keys (CSEK). If you provide your own encryption keys, Compute Engine uses your key to protect the Google-generated keys used to encrypt and decrypt your data. It is recommended to use VM disks encrypted with CSEK for business-critical VM instances.

Policy Details

Policy Subtype
Run, Build
Severity
Low
Template Type
Terraform

Build Rules

GCP VM disks not encrypted with Customer-Supplied Encryption Keys (CSEK).
JSON Query:
$.resource[*].google_compute_disk exists and $.resource[*].google_compute_disk.*.[*].*.disk_encrypt_key does not exist
Recommendation:
Recommended solution to ensure that VM disks are encrypted with Customer-Supplied Encryption Keys (CSEK).
Ensure that GCP VM disks are encrypted with Customer-Supplied Encryption Keys (CSEK). Please make sure that in the template, "disk_encrypt_key" exists and is set to true.
For example:
"google_compute_disk": [ { "<compute_disk_name>": [ { "image": "debian-8-jessie-v20170523", "labels": [ { "environment": "dev" } ], "name": "test-disk", "disk_encrypt_key": "true" } ] } ]

Run Rule Recommendation

Currently, we can not update the encryption of an existing disk. So to fix this alert, Create a new VM disk with Encryption set to Customer supplied, migrate all required data from reported VM disk to newly created disk and delete the reported VM disk.
  1. Login to GCP Portal.
  2. Go to Compute Engine.
  3. Go to Disks.
  4. Click on Create a disk.
  5. Specify other disk parameters as you desire.
  6. Set Encryption to Customer-supplied key.
  7. Provide the Key in the box.
  8. Select Wrapped key.
  9. Click on Create.

Compliance

There are 4 standards that are applicable to this policy:
  • ISO 27001:2013
  • CIS v1.0.0 (GCP)
  • PIPEDA
  • CCPA 2018

Recommended For You