A GCP persistent disk is encrypted with a key specified in plain text
Severity | Exploitability | Providers | Categories |
---|---|---|---|
CRITICAL | HIGH | Google Cloud Provider | DATA, SECRET |
#
DescriptionThe value of a sensitive environment variable (encryption key) is defined in plaintext. It will be stored in the raw state as plain text, and in the code repository as well.
#
ImpactPotential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | True | False | True |
The data stored on the persistent disk could be accessed and decrypted by a malicious actor with access to the repository or the raw state.
#
Remediation guidelinesThe encryption key should be stored and accessed with a secret manager. The exposed encryption key should be rotated, and the content of the persistent disk should be re-encrypted with the newly generated encryption key.