A GCP persistent disk is encrypted with a key specified in plain text

• GG_ID: GG_IAC_0018
• Severity: CRITICAL
• Complexity: LOW
• Categories: DATA, SECRET
• Providers: Google Cloud Provider
• Potential data exposure: True
• Visible in logs: True
• User interaction required: False
• Privileges required: True

Description

The value of a sensitive environment variable (encryption key) is defined in plaintext. It will be stored in the raw state as plain text, and in the code repository as well.

Impact

The data stored on the persistent disk could be accessed and decrypted by a malicious actor with access to the repository or the raw state.

Remediation guidelines

The encryption key should be stored and accessed with a secret manager. The exposed encryption key should be rotated, and the content of the persistent disk should be re-encrypted with the newly generated encryption key.

External documentation

• GCP Compute Disk
• About sensitive data in state