Skip to main content

A GCP persistent disk is encrypted with a key specified in plain text

  • GG_ID: GG_IAC_0018
  • Severity: CRITICAL
  • Complexity: LOW
  • Categories: DATA, SECRET
  • Providers: Google Cloud Provider
  • Potential data exposure: True
  • Visible in logs: True
  • User interaction required: False
  • Privileges required: True

Description#

The value of a sensitive environment variable (encryption key) is defined in plaintext. It will be stored in the raw state as plain text, and in the code repository as well.

Impact#

The data stored on the persistent disk could be accessed and decrypted by a malicious actor with access to the repository or the raw state.

Remediation guidelines#

The encryption key should be stored and accessed with a secret manager. The exposed encryption key should be rotated, and the content of the persistent disk should be re-encrypted with the newly generated encryption key.

External documentation#