A GCP persistent disk is encrypted with a key specified in plain text
- GG_ID: GG_IAC_0018
- Severity: CRITICAL
- Complexity: LOW
- Categories: DATA, SECRET
- Providers: Google Cloud Provider
- Potential data exposure: True
- Visible in logs: True
- User interaction required: False
- Privileges required: True
#
DescriptionThe value of a sensitive environment variable (encryption key) is defined in plaintext. It will be stored in the raw state as plain text, and in the code repository as well.
#
ImpactThe data stored on the persistent disk could be accessed and decrypted by a malicious actor with access to the repository or the raw state.
#
Remediation guidelinesThe encryption key should be stored and accessed with a secret manager. The exposed encryption key should be rotated, and the content of the persistent disk should be re-encrypted with the newly generated encryption key.