GCP VM Disks Not Encrypted With Customer-Supplied Encryption Keys (CSEK)
This policy identifies VM disks which are not encrypted with Customer-Supplied Encryption Keys (CSEK). If you provide your own encryption keys, Compute Engine uses your key to protect the Google-generated keys used to encrypt and decrypt your data. It is recommended to use VM disks encrypted with CSEK for business-critical VM instances.
Currently, we can not update the encryption of an existing disk. So to fix this alert, Create a new VM disk with Encryption set to Customer supplied, migrate all required data from reported VM disk to newly created disk and delete the reported VM disk.
Login to GCP Portal.
Go to Compute Engine.
Go to Disks.
Click on Create a disk.
Specify other disk parameters as you desire.
Set Encryption to Customer-supplied key.
Provide the Key in the box.
Select Wrapped key.
Click on Create.
There are 4 standards that are applicable to this policy: