GCP Kubernetes Cluster Application-layer Secrets Not Encrypted

Application-layer Secrets Encryption provides an additional layer of security for sensitive data, such as Secrets, stored in etcd. Using this functionality, you can use a key, that you manage in Cloud KMS, to encrypt data at the application layer. This protects against attackers who gain access to an offline copy of etcd. This policy checks your cluster for the Application-layer Secrets Encryption security feature and alerts if it is not enabled.

Policy Details

Policy Subtype
Run, Build
Template Type

Build Rules

GCP Kubernetes cluster Application-layer Secrets not encrypted.
JSON Query:
$.resource[*].google_container_cluster exists and ($.resource[*].google_container_cluster[*].*[*].database_encryption anyNull or $.resource[*].google_container_cluster[*].*[*].database_encryption[*].state any equal DECRYPTED)
Recommended solution to ensure that Application-layer Secrets not encrypted for GCP Kubernetes cluster.
Ensure that GCP Kubernetes cluster Application-layer Secrets are encrypted. Please make sure that the template have "database_encryption" attribute and its "state" is set to "ENCRYPTED".
For example:
"database_encryption": [ { "key_name": "projects/redlock-dev-playgroud/locations/us-central1/keyRings/prb-keyring/cryptoKeys/prb-key-kub", "state": "ENCRYPTED" } ]

Run Rule Recommendation

At this time, you cannot enable Application-layer Secrets Encryption for an existing cluster.
Creating a new cluster with Application-layer Secrets Encryption.
  1. Go to the Kubernetes clusters page in the GCP Console and select CREATE CLUSTER.
  2. Click Advanced options.
  3. Check Enable Application-layer Secrets Encryption.
  4. Select a customer-managed key from the drop down menu, or create a new KMS key.
  5. When finished configuring options for the cluster, click Create.


There are 2 standards that are applicable to this policy:
  • CCPA 2018

Recommended For You