GCP Kubernetes Cluster Application-layer Secrets Not Encrypted
Application-layer Secrets Encryption provides an additional layer of security for sensitive data, such as Secrets, stored in etcd. Using this functionality, you can use a key, that you manage in Cloud KMS, to encrypt data at the application layer. This protects against attackers who gain access to an offline copy of etcd.
This policy checks your cluster for the Application-layer Secrets Encryption security feature and alerts if it is not enabled.
GCP Kubernetes cluster Application-layer Secrets not encrypted.
$.resource[*].google_container_cluster exists and ($.resource[*].google_container_cluster[*].*[*].database_encryption anyNull or $.resource[*].google_container_cluster[*].*[*].database_encryption[*].state any equal DECRYPTED)
Recommended solution to ensure that Application-layer Secrets not encrypted for GCP Kubernetes cluster.
Ensure that GCP Kubernetes cluster Application-layer Secrets are encrypted. Please make sure that the template have "database_encryption" attribute and its "state" is set to "ENCRYPTED".